[SECURITY] Do not allow Pillow to parse EPS files

2026-05-08 15:44:02 +00:00 · 2023-09-11 18:57:08 +02:00
parent b16680e0e5
commit 7545e92373
13 changed files with 60 additions and 27 deletions
--- a/src/pretix/helpers/thumb.py
+++ b/src/pretix/helpers/thumb.py
@@ -23,6 +23,7 @@ import hashlib
 import math
 from io import BytesIO

+from django.conf import settings
 from django.core.files.base import ContentFile
 from django.core.files.storage import default_storage
 from PIL import Image, ImageOps, ImageSequence
@@ -165,7 +166,7 @@ def resize_image(image, size):

 def create_thumbnail(sourcename, size):
    source = default_storage.open(sourcename)
-    image = Image.open(BytesIO(source.read()))
+    image = Image.open(BytesIO(source.read()), formats=settings.PILLOW_FORMATS_QUESTIONS_IMAGE)
    try:
        image.load()
    except: