misc: check uploaded image is valid before sending it back (#11276)

tests/test_form_pages.py

@@ -1486,6 +1486,14 @@ def test_form_file_field_image_submit(pub):
         resp = app.get('/test/tempfile?t=%s&thumbnail=1' % tempfile_id)
         assert resp.content_type == 'image/png'
 
+        # check a fake image is not sent back
+        upload = Upload('test.jpg', '<script>evil javascript</script>', 'image/jpeg')
+        app = get_app(pub)
+        resp = app.get('/test/')
+        resp.forms[0]['f0$file'] = upload
+        resp = resp.forms[0].submit('submit')
+        assert not '<img alt="" src="tempfile?' in resp.body
+
 def test_form_file_field_submit_wrong_mimetype(pub):
     formdef = create_formdef()
     formdef.fields = [fields.FileField(id='0', label='file')]

wcs/qommon/form.py

@@ -29,6 +29,11 @@ import itertools
 import hashlib
 import json
 
+try:
+    from PIL import Image
+except ImportError:
+    Image = None
+
 from storage import atomic_write
 
 try:
@@ -690,7 +695,16 @@ class FileWithPreviewWidget(CompositeWidget):
                           % (_('Remove this file'), _('remove')))
         elif temp:
             filetype = mimetypes.guess_type(temp.get('orig_filename', ''))
+            include_image = False
             if filetype and filetype[0] and filetype[0].startswith('image'):
+                include_image = True
+            if Image:
+                image_content = get_session().get_tempfile_content(self.get('token'))
+                try:
+                    image = Image.open(image_content.fp)
+                except Exception:
+                    include_image = False
+            if include_image:
                 r += htmltext('<img alt="" src="tempfile?t=%s&thumbnail=1" />' %
                               self.get('token'))
         r += htmltext('</div>')