[SECURITY] Do not allow Pillow to parse EPS files

2026-05-08 15:44:02 +00:00 · 2023-09-11 18:57:08 +02:00
parent b16680e0e5
commit 7545e92373
13 changed files with 60 additions and 27 deletions
--- a/src/pretix/helpers/reportlab.py
+++ b/src/pretix/helpers/reportlab.py
@@ -20,8 +20,9 @@
 # <https://www.gnu.org/licenses/>.
 #
 from arabic_reshaper import ArabicReshaper
+from django.conf import settings
 from django.utils.functional import SimpleLazyObject
-from PIL.Image import Resampling
+from PIL import Image
 from reportlab.lib.utils import ImageReader


@@ -33,7 +34,7 @@ class ThumbnailingImageReader(ImageReader):
            height = width * self._image.size[1] / self._image.size[0]
        self._image.thumbnail(
            size=(int(width * dpi / 72), int(height * dpi / 72)),
-            resample=Resampling.BICUBIC
+            resample=Image.Resampling.BICUBIC
        )
        self._data = None
        return width, height
@@ -44,6 +45,9 @@ class ThumbnailingImageReader(ImageReader):
        # (smaller) size of the modified image.
        return None

+    def _read_image(self, fp):
+        return Image.open(fp, formats=settings.PILLOW_FORMATS_IMAGE)
+

 reshaper = SimpleLazyObject(lambda: ArabicReshaper(configuration={
    'delete_harakat': True,