[SECURITY] Do not allow Pillow to parse EPS files

2026-05-06 15:24:02 +00:00 · 2023-09-11 18:57:08 +02:00
parent b16680e0e5
commit 7545e92373
13 changed files with 60 additions and 27 deletions
--- a/src/pretix/base/settings.py
+++ b/src/pretix/base/settings.py
@@ -2793,7 +2793,7 @@ Your {organizer} team"""))  # noqa: W291
        'form_class': ExtFileField,
        'form_kwargs': dict(
            label=_('Header image'),
-            ext_whitelist=(".png", ".jpg", ".gif", ".jpeg"),
+            ext_whitelist=settings.FILE_UPLOAD_EXTENSIONS_IMAGE,
            max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE,
            help_text=_('If you provide a logo image, we will by default not show your event name and date '
                        'in the page header. By default, we show your logo with a size of up to 1140x120 pixels. You '
@@ -2836,7 +2836,7 @@ Your {organizer} team"""))  # noqa: W291
        'form_class': ExtFileField,
        'form_kwargs': dict(
            label=_('Header image'),
-            ext_whitelist=(".png", ".jpg", ".gif", ".jpeg"),
+            ext_whitelist=settings.FILE_UPLOAD_EXTENSIONS_IMAGE,
            max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE,
            help_text=_('If you provide a logo image, we will by default not show your organization name '
                        'in the page header. By default, we show your logo with a size of up to 1140x120 pixels. You '
@@ -2876,7 +2876,7 @@ Your {organizer} team"""))  # noqa: W291
        'form_class': ExtFileField,
        'form_kwargs': dict(
            label=_('Social media image'),
-            ext_whitelist=(".png", ".jpg", ".gif", ".jpeg"),
+            ext_whitelist=settings.FILE_UPLOAD_EXTENSIONS_IMAGE,
            max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE,
            help_text=_('This picture will be used as a preview if you post links to your ticket shop on social media. '
                        'Facebook advises to use a picture size of 1200 x 630 pixels, however some platforms like '
@@ -2897,7 +2897,7 @@ Your {organizer} team"""))  # noqa: W291
        'form_class': ExtFileField,
        'form_kwargs': dict(
            label=_('Logo image'),
-            ext_whitelist=(".png", ".jpg", ".gif", ".jpeg"),
+            ext_whitelist=settings.FILE_UPLOAD_EXTENSIONS_IMAGE,
            required=False,
            max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE,
            help_text=_('We will show your logo with a maximal height and width of 2.5 cm.')