The dangerous, exquisite art of safely handing user-uploaded files: Tom Eastman (was: Does This Scare You?)
Chris Angelico
rosuav at gmail.com
Mon Aug 22 12:20:16 EDT 2016
On Tue, Aug 23, 2016 at 1:56 AM, Random832 <random832 at fastmail.com> wrote:
>> And any GUI that automatically calculates thumbnails from
>> image files (this includes Windows, Mac OS, and more than one Linux
>> window manager) could potentially be attacked via a malformed file,
>> simply by having it appear on the file system.
>
> This has nothing to do with the filename, unless you additionally assume
> that this will only happen if the file is called .jpg
It generally will (or rather, only if the file has one of a particular
set of extensions). Automatic thumbnailing is usually done only for
certain file names. I don't know of anything that opens every single
file to see if it has a JFIF signature (etc for PNG and whatever other
types).
ChrisA
More information about the Python-list
mailing list