u/bodqhrohro/swineboard Commit - r1820:668d6c7d

Decompression bomb protection in image viewing

neko259 -

r1820:668d6c7d default

parent child

boards/models/attachment/viewers.py

0 +10 0

              import re
+             from PIL import Image
              from django.contrib.staticfiles import finders
              from django.contrib.staticfiles.templatetags.staticfiles import static
              from django.core.files.images import get_image_dimensions
                  def get_format_view(self):
                      metadata = '{}, {}'.format(self.file.name.split('.')[-1],
                                                 filesizeformat(self.file.size))
+                     Image.warnings.simplefilter('error', Image.DecompressionBombWarning)
+                     try:
                      width, height = get_image_dimensions(self.file.path)
+                     except Exception:
+                         # If the image is a decompression bomb, treat it as just a regular
+                         # file
+                         return super().get_format_view()
                      preview_path = self.file.path.replace('.', '.200x150.')
                      pre_width, pre_height = get_image_dimensions(preview_path)

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages