fix: decompression bomb attack in the Filer

[vinitkumar]

Description

Filer allowed for the images for very high pixels (height * width) to be uploaded. This would cause crash and failures when the high pixels exceeded what is allowed by Pillow Image MAX_IMAGE_PIXELS value.

This is an issue because even though the image is possible to be created and attached to the page, it would never work as PIL always fails to thumbnails such high pixel image and crashes causing crash and high memory usages in such pages.

This patch, fixes this issues in the bud as it wouldn't allow such files to be uploaded via FILER itself. It also allows to set a lower limit FILER_MAX_IMAGE_PIXELS so that users can limit the max pixels to value much lower than what PIL support.

We also choose the pixel value rather than MAX_HEIGHT and MAX_WIDTH to allow different resolutions of image other than square images.

https://github.com/django-cms/django-filer/assets/537678/852f1ec2-ce5b-4eeb-80d1-f8eb070e5bfa

Github Issue

• fixes #1425
• fixes #1330

Authored-by: Vinit Kumar vinit.kumar@kidskonnect.nl

Related resources

• https://en.wikipedia.org/wiki/Zip_bomb
• https://github.com/python-pillow/Pillow/blob/main/src/PIL/Image.py#L3148

Checklist

• [x] I have opened this pull request against master
• [x] I have added or modified the tests when changing logic
• [x] I have followed the conventional commits guidelines to add meaningful information into the changelog
• [x] I have read the contribution guidelines and I have joined #workgroup-pr-review on Slack to find a “pr review buddy” who is going to review my pull request.

[codecov[bot]]

Codecov Report

Attention: 11 lines in your changes are missing coverage. Please review.

Comparison is base (8293ba1) 75.96% compared to head (34045eb) 76.41%.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## master #1426 +/- ## ========================================== + Coverage 75.96% 76.41% +0.44% ========================================== Files 75 75 Lines 3454 3510 +56 Branches 554 562 +8 ========================================== + Hits 2624 2682 +58 + Misses 669 666 -3 - Partials 161 162 +1 ``` | [Files](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms) | Coverage Δ | | |---|---|---| | [filer/admin/imageadmin.py](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms#diff-ZmlsZXIvYWRtaW4vaW1hZ2VhZG1pbi5weQ==) | `89.58% <100.00%> (ø)` | | | [filer/fields/multistorage\_file.py](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms#diff-ZmlsZXIvZmllbGRzL211bHRpc3RvcmFnZV9maWxlLnB5) | `88.34% <100.00%> (ø)` | | | [filer/models/filemodels.py](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms#diff-ZmlsZXIvbW9kZWxzL2ZpbGVtb2RlbHMucHk=) | `88.88% <100.00%> (+0.19%)` | :arrow_up: | | [filer/templatetags/filer\_admin\_tags.py](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms#diff-ZmlsZXIvdGVtcGxhdGV0YWdzL2ZpbGVyX2FkbWluX3RhZ3MucHk=) | `92.10% <100.00%> (+2.72%)` | :arrow_up: | | [filer/admin/fileadmin.py](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms#diff-ZmlsZXIvYWRtaW4vZmlsZWFkbWluLnB5) | `94.39% <94.11%> (-0.12%)` | :arrow_down: | | [filer/validation.py](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms#diff-ZmlsZXIvdmFsaWRhdGlvbi5weQ==) | `95.45% <80.00%> (+14.37%)` | :arrow_up: | | [filer/admin/clipboardadmin.py](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms#diff-ZmlsZXIvYWRtaW4vY2xpcGJvYXJkYWRtaW4ucHk=) | `95.12% <88.00%> (+0.45%)` | :arrow_up: | | [filer/models/abstract.py](https://app.codecov.io/gh/django-cms/django-filer/pull/1426?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=django-cms#diff-ZmlsZXIvbW9kZWxzL2Fic3RyYWN0LnB5) | `80.82% <76.19%> (-0.78%)` | :arrow_down: |

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[vinitkumar]

@fsbraun Just checked it out. Looks and work great. Except I think this warning message could be better. Is show __all__ and some message.

O Once that is fixed. I think it's good enough to be merged and we can cut a 3.1 release for filer.