# HG changeset patch # User neko259 # Date 2017-01-10 22:24:47 # Node ID 668d6c7d1d462961f5f77efc819c88552b749ef8 # Parent 1bcad2dd3aa420230111e15fd02e3f569166d659 Decompression bomb protection in image viewing diff --git a/boards/models/attachment/viewers.py b/boards/models/attachment/viewers.py --- a/boards/models/attachment/viewers.py +++ b/boards/models/attachment/viewers.py @@ -1,5 +1,7 @@ import re +from PIL import Image + from django.contrib.staticfiles import finders from django.contrib.staticfiles.templatetags.staticfiles import static from django.core.files.images import get_image_dimensions @@ -145,7 +147,15 @@ class ImageViewer(AbstractViewer): def get_format_view(self): metadata = '{}, {}'.format(self.file.name.split('.')[-1], filesizeformat(self.file.size)) - width, height = get_image_dimensions(self.file.path) + + Image.warnings.simplefilter('error', Image.DecompressionBombWarning) + try: + width, height = get_image_dimensions(self.file.path) + except Exception: + # If the image is a decompression bomb, treat it as just a regular + # file + return super().get_format_view() + preview_path = self.file.path.replace('.', '.200x150.') pre_width, pre_height = get_image_dimensions(preview_path)