[1.3.x] Fixed a security issue in image uploading. Disclosure and release forthcoming.

Backport of dd16b17099 from master.
2012-07-30 21:55:23 +02:00 · 2012-07-30 21:55:23 +02:00 · 9ca0ff6268
parent 7ca10b1dac
commit 9ca0ff6268
1 changed files with 6 additions and 1 deletions
--- a/django/core/files/images.py
+++ b/django/core/files/images.py
@ -47,13 +47,18 @@ def get_image_dimensions(file_or_path, close=False):
        file = open(file_or_path, 'rb')
        close = True
    try:
+        # Most of the time PIL only needs a small chunk to parse the image and
+        # get the dimensions, but with some TIFF files PIL needs to parse the
+        # whole file.
+        chunk_size = 1024
        while 1:
-            data = file.read(1024)
+            data = file.read(chunk_size)
            if not data:
                break
            p.feed(data)
            if p.image:
                return p.image.size
+            chunk_size = chunk_size*2
        return None
    finally:
        if close: