[Image-SIG] PIL Consuming All System Resources
Yury V. Zaytsev
yury at shurup.com
Mon May 31 08:31:49 CEST 2010
On Sun, 2010-05-30 at 14:59 -0700, Edward Cannon wrote:
> Another method used by many websites is to put a limit on uploaded
> file size. This has the double benifit of saving on bandwidth as well.
> Facebook uses 5MB
This is no magic bullet, though. As with ZIP bombs, you can craft a
malicious image in such a way, that taking few hundred kilobytes it will
still have a giant resolution and when unpacked take many gigabytes of
memory to make your server go into swap and die.
Hey, by the way... If you don't ulimit your Python processes, that's
pretty lame. A single minor mistake / lack of a sanity check in the code
and a successful DOS against your server is warranted.
--
Sincerely yours,
Yury V. Zaytsev
More information about the Image-SIG
mailing list