diff options
author | Florian Apolloner <florian@apolloner.eu> | 2012-07-30 21:55:23 +0200 |
---|---|---|
committer | Florian Apolloner <florian@apolloner.eu> | 2012-07-30 21:55:23 +0200 |
commit | 9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155 (patch) | |
tree | 05ebaac14ee5dea3f4e869ee846ef9ffda9c7f8b | |
parent | 7ca10b1dac758924f9bbd219880cc17a537c5e47 (diff) | |
download | django-9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155.tar.gz |
[1.3.x] Fixed a security issue in image uploading. Disclosure and release forthcoming.
Backport of dd16b17099b7d86f27773df048c5014cf439b282 from master.
-rw-r--r-- | django/core/files/images.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/django/core/files/images.py b/django/core/files/images.py index 228a7118c5..7d7eac65db 100644 --- a/django/core/files/images.py +++ b/django/core/files/images.py @@ -47,13 +47,18 @@ def get_image_dimensions(file_or_path, close=False): file = open(file_or_path, 'rb') close = True try: + # Most of the time PIL only needs a small chunk to parse the image and + # get the dimensions, but with some TIFF files PIL needs to parse the + # whole file. + chunk_size = 1024 while 1: - data = file.read(1024) + data = file.read(chunk_size) if not data: break p.feed(data) if p.image: return p.image.size + chunk_size = chunk_size*2 return None finally: if close: |