Avoid the use of PIL to determine the image type
Bug #1381284 reported by
François Marier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Libravatar (obsolete) |
Confirmed
|
High
|
Unassigned |
Bug Description
Currently, when an image is uploaded, we open it in PIL to check its format:
https:/
https:/
We should avoid doing that in case there is a vulnerability in PIL since that would compromise the Django process.
Perhaps we should use file or simply trust the mimetype sent by the browser.
To post a comment you must log in.