Libravatar (obsolete)

Avoid the use of PIL to determine the image type

Bug #1381284 reported by François Marier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)
Confirmed
High
Unassigned

Bug Description

Currently, when an image is uploaded, we open it in PIL to check its format:

  https://gitorious.org/libravatar/libravatar/source/bbebda5000c8ce4cd883558b863b1adbc90b830a:libravatar/account/models.py#L147
  https://gitorious.org/libravatar/libravatar/source/bbebda5000c8ce4cd883558b863b1adbc90b830a:libravatar/account/models.py#L218

We should avoid doing that in case there is a vulnerability in PIL since that would compromise the Django process.

Perhaps we should use file or simply trust the mimetype sent by the browser.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.