Validate image size in pixels at upload time (#3003)

2026-05-06 15:24:02 +00:00 · 2023-01-12 16:30:28 +01:00
parent 738301d2af
commit 9dd3b12625
16 changed files with 226 additions and 16 deletions
--- a/src/pretix/api/views/upload.py
+++ b/src/pretix/api/views/upload.py
@@ -21,6 +21,7 @@
 #
 import datetime

+from django.core.exceptions import ValidationError as DjangoValidationError
 from django.utils.timezone import now
 from oauth2_provider.contrib.rest_framework import OAuth2Authentication
 from rest_framework.authentication import SessionAuthentication
@@ -33,6 +34,9 @@ from pretix.api.auth.device import DeviceTokenAuthentication
 from pretix.api.auth.permission import AnyAuthenticatedClientPermission
 from pretix.api.auth.token import TeamTokenAuthentication
 from pretix.base.models import CachedFile
+from pretix.helpers.images import (
+    IMAGE_TYPES, validate_uploaded_file_for_valid_image,
+)

 ALLOWED_TYPES = {
    'image/gif': {'.gif'},
@@ -61,6 +65,13 @@ class UploadView(APIView):
                name=file_obj.name,
                type=content_type
            ))
+
+        if content_type in IMAGE_TYPES:
+            try:
+                validate_uploaded_file_for_valid_image(file_obj)
+            except DjangoValidationError as e:
+                raise ValidationError(e.message)
+
        cf = CachedFile.objects.create(
            expires=now() + datetime.timedelta(days=1),
            date=now(),
--- a/src/pretix/base/forms/questions.py
+++ b/src/pretix/base/forms/questions.py
@@ -531,7 +531,7 @@ class PortraitImageField(SizeValidationMixin, ExtValidationMixin, forms.FileFiel
                    code='aspect_ratio_not_3_by_4',
                )
        except Exception as exc:
-            logger.exception('foo')
+            logger.exception('Could not parse image')
            # Pillow doesn't recognize it as an image.
            if isinstance(exc, ValidationError):
                raise
--- a/src/pretix/base/models/items.py
+++ b/src/pretix/base/models/items.py
@@ -62,6 +62,7 @@ from pretix.base.models.base import LoggedModel
 from pretix.base.models.fields import MultiStringField
 from pretix.base.models.tax import TaxedPrice

+from ...helpers.images import ImageSizeValidator
 from .event import Event, SubEvent


@@ -429,7 +430,8 @@ class Item(LoggedModel):
    picture = models.ImageField(
        verbose_name=_("Product picture"),
        null=True, blank=True, max_length=255,
-        upload_to=itempicture_upload_to
+        upload_to=itempicture_upload_to,
+        validators=[ImageSizeValidator()]
    )
    available_from = models.DateTimeField(
        verbose_name=_("Available from"),
--- a/src/pretix/control/forms/init.py
+++ b/src/pretix/control/forms/init.py
@@ -51,6 +51,9 @@ from django_scopes.forms import SafeModelMultipleChoiceField
 from pretix.helpers.hierarkey import clean_filename

 from ...base.forms import I18nModelForm
+from ...helpers.images import (
+    IMAGE_EXTS, validate_uploaded_file_for_valid_image,
+)

 # Import for backwards compatibility with okd import paths
 from ...base.forms.widgets import (  # noqa
@@ -220,6 +223,10 @@ class ExtValidationMixin:
            ext = ext.lower()
            if ext not in self.ext_whitelist:
                raise forms.ValidationError(_("Filetype not allowed!"))
+
+            if ext in IMAGE_EXTS:
+                validate_uploaded_file_for_valid_image(data)
+
        return data


--- a/src/pretix/helpers/images.py
+++ b/src/pretix/helpers/images.py
@@ -0,0 +1,85 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+import logging
+from io import BytesIO
+
+from django.core.exceptions import ValidationError
+from django.utils.translation import gettext_lazy as _
+from PIL.Image import MAX_IMAGE_PIXELS, DecompressionBombError
+
+IMAGE_TYPES = {'image/gif', 'image/jpeg', 'image/png'}
+IMAGE_EXTS = {'.gif', '.jpg', '.jpeg', '.png'}
+
+
+logger = logging.getLogger(__name__)
+
+
+def validate_uploaded_file_for_valid_image(f):
+    if f is None:
+        return None
+
+    from PIL import Image
+
+    # We need to get a file object for Pillow. We might have a path or we might
+    # have to read the data into memory.
+    if hasattr(f, 'temporary_file_path'):
+        file = f.temporary_file_path()
+    else:
+        if hasattr(f, 'read'):
+            file = BytesIO(f.read())
+        else:
+            file = BytesIO(f['content'])
+
+    try:
+        try:
+            image = Image.open(file)
+            # verify() must be called immediately after the constructor.
+            image.verify()
+        except DecompressionBombError:
+            raise ValidationError(_(
+                "The file you uploaded has a very large number of pixels, please upload a picture with smaller dimensions."
+            ))
+
+        # load() is a potential DoS vector (see Django bug #18520), so we verify the size first
+        if image.width * image.height > MAX_IMAGE_PIXELS:
+            raise ValidationError(_(
+                "The file you uploaded has a very large number of pixels, please upload a picture with smaller dimensions."
+            ))
+    except Exception as exc:
+        logger.exception('Could not parse image')
+        # Pillow doesn't recognize it as an image.
+        if isinstance(exc, ValidationError):
+            raise
+        raise ValidationError(_(
+            "Upload a valid image. The file you uploaded was either not an image or a corrupted image."
+        )) from exc
+    if hasattr(f, 'seek') and callable(f.seek):
+        f.seek(0)
+
+
+class ImageSizeValidator:
+    def __call__(self, image):
+        if image.width * image.height > MAX_IMAGE_PIXELS:
+            raise ValidationError(_(
+                "The file you uploaded has a very large number of pixels, please upload a picture with smaller dimensions."
+            ))
+        return image
--- a/src/pretix/testutils/api.py
+++ b/src/pretix/testutils/api.py
@@ -29,4 +29,4 @@ class UploadRenderer(BaseRenderer):

    def render(self, data, accepted_media_type=None, renderer_context=None):
        self.media_type = data['media_type']
-        return data['file']
+        return data['file'].read()