Image validator: fails to spot image truncation or corruption
|Reported by:||Owned by:||nobody|
|Severity:||Keywords:||images, image, validation, verification, PIL|
|Cc:||dev@…||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
django.core.validators.isValidImage in trunk does not detect corrupt or truncated images: more PIL calls than just the constructor need to be made in order to effect the full set of checks PIL is capable of, because most PIL.xxxImagePlugin modules read no more data than is necessary at construction time. One of load() or verify() (or both if possible) must be called on the PIL.Image object in order to perform the fullest set of checks.
- Prepare truncated/corrupted PNG or JPEG files with vi, dd, based on some known-good images, and leaving the first few bytes of the image header intact.
- Test that PIL can spot that the images are corrupt:
>>> from PIL import Image >>> from cStringIO import StringIO >>> i = Image.open(StringIO(open('hi_truncated.png', 'r').read())) >>> i.verify() [...] IndexError: string index out of range >>> i = Image.open(StringIO(open('hi_truncated.jpg', 'r').read())) >>> i.load() [...] IOError: image file is truncated (46 bytes not processed) >>>
- Set up a model with an ImageField
- Try to upload one of the bad images you prepared via the django admin interface.
- Upload will be rejected with the message "Upload a valid image. The file you uploaded was either not an image or a corrupted image."
- Image is accepted as if it were non-corrupt.
This is my first django bug report, so I hope I'm doing it right. I could provide a test case if you like, but I noticed that the existing test framework makes no attempt to test this area of code in order to avoid a dependency on PIL at test time.
Change History (5)
Changed 10 years ago by
comment:1 follow-up: 2 Changed 10 years ago by
|Patch needs improvement:||unset|
|Triage Stage:||Unreviewed → Ready for checkin|