Allow to override Pillow image size limit (!390) · Merge requests · Arkindex / Tasks

Valentin Rigal requested to merge pillow-size-env into master Jul 30, 2024

Setting ARKINDEX_MAX_IMAGE_PIXELS in the task's env.

I had trouble running the full import locally (either from RQ task -I got 500 errors with Cantaloupe-, or using the full stack), Pillow setting is correctly set though.

Pillow seems to first check for the double value of the treshold, but then applies the correct limit (this is specific to Pillow, I'll document it):

# Default
[INFO] Fetching images for test.jpg
[WARNING] Could not fetch images from test.jpg: Image size (900000000 pixels) exceeds limit of 178956970 pixels, could be decompression bomb DOS attack.

# ARKINDEX_MAX_IMAGE_PIXELS=0
[INFO] Fetching images for test.jpg
[WARNING] Pillow Image size limit is completely disabled, make sure you trust the image source.

# ARKINDEX_MAX_IMAGE_PIXELS=42
[INFO] Fetching images for test.jpg
[WARNING] Could not fetch images from test.jpg: Image size (900000000 pixels) exceeds limit of 84 pixels, could be decompression bomb DOS attack.
[INFO] Imported 0 elements

# ARKINDEX_MAX_IMAGE_PIXELS=449999999
[INFO] Fetching images for test.jpg
[WARNING] Could not fetch images from test.jpg: Image size (900000000 pixels) exceeds limit of 899999998 pixels, could be decompression bomb DOS attack.
[INFO] Imported 0 elements

# ARKINDEX_MAX_IMAGE_PIXELS=450000000
[INFO] Fetching images for test.jpg
/usr/lib/python3.10/site-packages/PIL/Image.py:3182: DecompressionBombWarning: Image size (900000000 pixels) exceeds limit of 450000000 pixels, could be decompression bomb DOS attack.
  warnings.warn(
[INFO] Creating 1 elements

Edited Jul 31, 2024 by Valentin Rigal

Allow to override Pillow image size limit

Merge request reports