[SECURITY] Do not allow Pillow to parse EPS files

2023-09-11 18:57:08 +02:00
parent b16680e0e5
commit 7545e92373
13 changed files with 60 additions and 27 deletions
--- a/src/pretix/helpers/images.py
+++ b/src/pretix/helpers/images.py
@@ -22,6 +22,7 @@
 import logging
 from io import BytesIO

+from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
 from PIL.Image import MAX_IMAGE_PIXELS, DecompressionBombError
@@ -51,7 +52,7 @@ def validate_uploaded_file_for_valid_image(f):

    try:
        try:
-            image = Image.open(file)
+            image = Image.open(file, formats=settings.PILLOW_FORMATS_QUESTIONS_IMAGE)
            # verify() must be called immediately after the constructor.
            image.verify()
        except DecompressionBombError: