[IMC-Tech] Image file uploads allow client side code injection in Internet Explorer 6.x, was: your IRC message
remi.d at mezimail.com
remi.d at mezimail.com
Thu Dec 1 16:51:14 PST 2005
As you understood, I used the Python Imaging Library.
The open function immediatly failed on the provided gif example, but you are
right I was relying on the verify method of xImageFile instance.
After a quick look at the Image module source I thinked we better have to use
the «load» method,
::
# Open
# This is a lazy operation; this function identifies the file, but the
# actual image data is not read from the file until you try to process
# the data (or call the {@link #Image.load} method).
but in fact, about the load method...
::
# Allocates storage for the image and loads the pixel data. In
# normal cases, you don't need to call this method, since the
# Image class automatically loads an opened image when it is
# accessed for the first time.
That is explaining why the exception was raised at the image open attempt.
So IMHO, we can rely on this quick script to check image files. The true
verification is realy done immediatly at the «open» attempt, the verify appear
to be a luxury.
What do you think ?
-------------------------------------------------
Ce message a été envoyé via www.mezimail.com
More information about the imc-tech
mailing list