load takes either bytes of a picture or a filename, and provides the caller with no way to specify which way to interpret the data.
So a caller accepting images over the network and passing the received bytes into load directly will be in for a nasty surprise when an attacker makes an "image" composed of any of the following byte sequences:
b"/dev/random" or b"/dev/urandom": Will try to do an infinite read about 1 in 25000 times (if the random bytes from these files match that of a jpeg file).
b"/path/to/file/i/want/to/check": Will leak whether a file exists at that location on the disk, and whether it is an image.
The only safe thing for someone writing a web-service then becomes:
loadtakes either bytes of a picture or a filename, and provides the caller with no way to specify which way to interpret the data.So a caller accepting images over the network and passing the received bytes into
loaddirectly will be in for a nasty surprise when an attacker makes an "image" composed of any of the following byte sequences:b"/dev/random"orb"/dev/urandom": Will try to do an infinite read about 1 in 25000 times (if the random bytes from these files match that of a jpeg file).b"/path/to/file/i/want/to/check": Will leak whether a file exists at that location on the disk, and whether it is an image.The only safe thing for someone writing a web-service then becomes:
load.