Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): Bump Pillow #19662

Merged
merged 1 commit into from
Jul 1, 2020
Merged

fix(security): Bump Pillow #19662

merged 1 commit into from
Jul 1, 2020

Conversation

untitaker
Copy link
Member

@untitaker
Copy link
Member Author

It seems that Pillow has released CVEs without actually releasing the versions that supposedly fix the security issues.

python-pillow/Pillow#4750

billyvg
billyvg approved these changes Jul 1, 2020
View reviewed changes
Copy link
Member

@billyvg billyvg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving to unblock our CI, but we should follow up on this

@iProgramStuff iProgramStuff self-requested a review July 1, 2020 15:38
@untitaker untitaker merged commit f7dd579 into master Jul 1, 2020
@untitaker untitaker deleted the fix/bump-pillow branch July 1, 2020 16:06
@joshuarli
Copy link
Member

All these CVEs affect decoding of some less popular image formats (FLI, PCX, TIFF, JPEG 2000, SGI-RLE): python-pillow/Pillow#4538

So, sentry.models.avatar.get_cached_photo is unaffected (it only resizes and encodes into PNG).

I imagine not many people at all would care if we blocked everything but JPEG or PNG uploads. I know JPEG 2000 is slowly gaining in popularity, but hopefully we're on py3 by the time it's more universal?

The format can be identified by reading Image.format after an image open, or stdlib imghdr although if you search for "imghdr python bug" you get a lot of hits, haha. A few that look pretty good (but are py3-only): https://github.com/cdgriffith/puremagic, https://github.com/h2non/filetype.py. Calibre also maintains their own imghdr.py and I believe the creator/primary maintainer intends to support py2 for a long time.

@untitaker
Copy link
Member Author

untitaker commented Jul 1, 2020 via email

@joshuarli
Copy link
Member

Image types are generally(?) inferred from magic bytes, not during decoding. But I have not verified this.

@joshuarli joshuarli mentioned this pull request Jul 2, 2020
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Dec 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@iProgramStuff iProgramStuff iProgramStuff approved these changes

@billyvg billyvg billyvg approved these changes

@joshuarli joshuarli Awaiting requested review from joshuarli

@mitsuhiko mitsuhiko Awaiting requested review from mitsuhiko

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@untitaker @joshuarli @billyvg @iProgramStuff