fix(security): Bump Pillow

[untitaker]

See https://nvd.nist.gov/vuln/detail/CVE-2020-10379

[untitaker]

It seems that Pillow has released CVEs without actually releasing the versions that supposedly fix the security issues.

python-pillow/Pillow#4750

[billyvg]

Approving to unblock our CI, but we should follow up on this

[joshuarli]

All these CVEs affect decoding of some less popular image formats (FLI, PCX, TIFF, JPEG 2000, SGI-RLE): python-pillow/Pillow#4538

So, sentry.models.avatar.get_cached_photo is unaffected (it only resizes and encodes into PNG).

I imagine not many people at all would care if we blocked everything but JPEG or PNG uploads. I know JPEG 2000 is slowly gaining in popularity, but hopefully we're on py3 by the time it's more universal?

The format can be identified by reading Image.format after an image open, or stdlib imghdr although if you search for "imghdr python bug" you get a lot of hits, haha. A few that look pretty good (but are py3-only): https://github.com/cdgriffith/puremagic, https://github.com/h2non/filetype.py. Calibre also maintains their own imghdr.py and I believe the creator/primary maintainer intends to support py2 for a long time.

[untitaker]

I don't know when decoding happens. If it happens when trying to figure out the image type it's not that much of a win. Generally disabling everything but jpeg and png sounds like a good idea though. I bet we could convert the rest in the frontend if we had to

…

On Wed, Jul 1, 2020, 20:14 josh ***@***.***> wrote: All these CVEs affect decoding of some less popular image formats (FLI, PCX, TIFF, JPEG 2000, SGI-RLE): python-pillow/Pillow#4538 <python-pillow/Pillow#4538> So, sentry.models.avatar.get_cached_photo is unaffected (it only resizes and encodes into PNG). I imagine not many people at all would care if we blocked everything but JPEG or PNG uploads. I know JPEG 2000 is slowly gaining in popularity, but hopefully we're on py3 by the time it's more universal? The format can be identified by reading Image.format after an image open, or stdlib imghdr although if you search for "imghdr python bug" you get a lot of hits, haha. A few that look pretty good (but are py3-only): https://github.com/cdgriffith/puremagic, https://github.com/h2non/filetype.py. Calibre also maintains their own imghdr.py <https://github.com/kovidgoyal/calibre/blob/master/src/calibre/utils/imghdr.py> and I believe the creator/primary maintainer intends to support py2 for a long time. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#19662 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGMPRNHQJMCDSQ5PHTQZNTRZN4G7ANCNFSM4ONHLETA> .

[joshuarli]

Image types are generally(?) inferred from magic bytes, not during decoding. But I have not verified this.