Opened 18 years ago
Closed 17 years ago
#3848 closed (fixed)
Image validator: fails to spot image truncation or corruption
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Core (Other) | Version: | dev |
Severity: | Keywords: | images, image, validation, verification, PIL | |
Cc: | dev@… | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
django.core.validators.isValidImage in trunk does not detect corrupt or truncated images: more PIL calls than just the constructor need to be made in order to effect the full set of checks PIL is capable of, because most PIL.xxxImagePlugin modules read no more data than is necessary at construction time. One of load() or verify() (or both if possible) must be called on the PIL.Image object in order to perform the fullest set of checks.
To reproduce:
- Prepare truncated/corrupted PNG or JPEG files with vi, dd, based on some known-good images, and leaving the first few bytes of the image header intact.
- Test that PIL can spot that the images are corrupt:
>>> from PIL import Image >>> from cStringIO import StringIO >>> i = Image.open(StringIO(open('hi_truncated.png', 'r').read())) >>> i.verify() [...] IndexError: string index out of range >>> i = Image.open(StringIO(open('hi_truncated.jpg', 'r').read())) >>> i.load() [...] IOError: image file is truncated (46 bytes not processed) >>>
- Set up a model with an ImageField
- Try to upload one of the bad images you prepared via the django admin interface.
Expected behaviour:
- Upload will be rejected with the message "Upload a valid image. The file you uploaded was either not an image or a corrupted image."
Observed behaviour as of [4836] (and presumably all the way back to [3]):
- Image is accepted as if it were non-corrupt.
This is my first django bug report, so I hope I'm doing it right. I could provide a test case if you like, but I noticed that the existing test framework makes no attempt to test this area of code in order to avoid a dependency on PIL at test time.
Attachments (2)
Change History (5)
by , 18 years ago
Attachment: | django_core_validators_isValidImage.diff added |
---|
by , 18 years ago
Attachment: | django_core_validators_isValidImage.better-message.diff added |
---|
follow-up: 2 comment:1 by , 18 years ago
Cc: | added |
---|---|
Triage Stage: | Unreviewed → Ready for checkin |
Looks good to me.
comment:2 by , 17 years ago
Replying to Simon G. <dev@simon.net.nz>:
Looks good to me.
Does this patch need any further work from me? It's been "Ready for checkin" for 3 months without any flagged need for documentation, improvement, or tests.
Do you need anything more from me? I'd be happy to oblige, just let me know.
comment:3 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Improve the phrasing of the Debug-mode error message addendum