Fixed second security issue in image uploading. Disclosure and release forthcoming.

2012-07-30 21:57:22 +02:00 · 2012-07-30 21:57:22 +02:00 · b1d4634686
parent dd16b17099
commit b1d4634686
1 changed files with 4 additions and 14 deletions
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@ -560,20 +560,10 @@ class ImageField(FileField):
                file = BytesIO(data['content'])

        try:
-            # load() is the only method that can spot a truncated JPEG,
-            #  but it cannot be called sanely after verify()
-            trial_image = Image.open(file)
-            trial_image.load()
-
-            # Since we're about to use the file again we have to reset the
-            # file object if possible.
-            if hasattr(file, 'seek') and callable(file.seek):
-                file.seek(0)
-
-            # verify() is the only method that can spot a corrupt PNG,
-            #  but it must be called immediately after the constructor
-            trial_image = Image.open(file)
-            trial_image.verify()
+            # load() could spot a truncated JPEG, but it loads the entire
+            # image in memory, which is a DoS vector. See #3848 and #18520.
+            # verify() must be called immediately after the constructor.
+            Image.open(file).verify()
        except ImportError:
            # Under PyPy, it is possible to import PIL. However, the underlying
            # _imaging C module isn't available, so an ImportError will be