Filer allows for images to be uploaded to the storages. There is a setting where we can limit the size of the image. However, there is no way to prevent DecompressionBombWarning that can happen when you have added a high pixel image which Pillow can't handle.
In that case you end up with errors like this
/usr/local/lib/python3.9/site-packages/PIL/Image.py:3074: DecompressionBombWarning: Image size (94570638 pixels) exceeds limit of 89478485 pixels, could be decompression bomb DOS attack.
I believe, we should make use of the check for max allowed Pixel from Pillow and give a validation error before uploading such images as I have experience downtime in website because filer allowed such high pixel images to be uploaded and then crash the page as pillow can't handle it. Even the filers own thumb-nailing won't succeed because of this issue as it can' handle such files. I believe it is a real issue and filer is the correct place to solve this.
fsbraun
commented
1 year ago
Filer allows for images to be uploaded to the storages. There is a setting where we can limit the size of the image. However, there is no way to prevent
DecompressionBombWarningthat can happen when you have added a high pixel image which Pillow can't handle.In that case you end up with errors like this
I believe, we should make use of the check for max allowed Pixel from Pillow and give a validation error before uploading such images as I have experience downtime in website because filer allowed such high pixel images to be uploaded and then crash the page as pillow can't handle it. Even the filers own thumb-nailing won't succeed because of this issue as it can' handle such files. I believe it is a real issue and filer is the correct place to solve this.