From 3689e3f31b4098c81204f89e47f5e35d18192c90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Sat, 11 Jun 2016 13:55:56 +0200
Subject: [PATCH] misc: check uploaded image is valid before sending it back
 (#11276)

---
 tests/test_form_pages.py |  8 ++++++++
 wcs/qommon/form.py       | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/tests/test_form_pages.py b/tests/test_form_pages.py
index 3851c3e..f228a3b 100644
--- a/tests/test_form_pages.py
+++ b/tests/test_form_pages.py
@@ -1522,6 +1522,14 @@ def test_form_file_field_image_submit(pub):
         resp = app.get('/test/tempfile?t=%s&thumbnail=1' % tempfile_id)
         assert resp.content_type == 'image/png'
 
+        # check a fake image is not sent back
+        upload = Upload('test.jpg', '<script>evil javascript</script>', 'image/jpeg')
+        app = get_app(pub)
+        resp = app.get('/test/')
+        resp.forms[0]['f0$file'] = upload
+        resp = resp.forms[0].submit('submit')
+        assert not '<img alt="" src="tempfile?' in resp.body
+
 def test_form_file_field_submit_wrong_mimetype(pub):
     formdef = create_formdef()
     formdef.fields = [fields.FileField(id='0', label='file')]
diff --git a/wcs/qommon/form.py b/wcs/qommon/form.py
index 0b07fef..fd1432a 100644
--- a/wcs/qommon/form.py
+++ b/wcs/qommon/form.py
@@ -29,6 +29,11 @@ import itertools
 import hashlib
 import json
 
+try:
+    from PIL import Image
+except ImportError:
+    Image = None
+
 from storage import atomic_write
 
 try:
@@ -690,7 +695,16 @@ class FileWithPreviewWidget(CompositeWidget):
                           % (_('Remove this file'), _('remove')))
         elif temp:
             filetype = mimetypes.guess_type(temp.get('orig_filename', ''))
+            include_image = False
             if filetype and filetype[0] and filetype[0].startswith('image'):
+                include_image = True
+            if Image:
+                image_content = get_session().get_tempfile_content(self.get('token'))
+                try:
+                    image = Image.open(image_content.fp)
+                except Exception:
+                    include_image = False
+            if include_image:
                 r += htmltext('<img alt="" src="tempfile?t=%s&thumbnail=1" />' %
                               self.get('token'))
         r += htmltext('</div>')
-- 
2.8.1