-
Notifications
You must be signed in to change notification settings - Fork 23.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FIX] base: avoid fail with wrong mimetype #156209
Conversation
bd9e43d
to
1a77ea3
Compare
1d4634e
to
60dcc08
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
webp and svg are not resizable, so why would you like to add it in ir.config_parameter 'image_autoresize_extensions' ???
If you don't add it, you will just not enter into the if is_image_resizable and...
's condition...
Your issue here, is that you try to upload a svg that you hide under the extension jpeg to try to bypass some others rules...
But your commit message is wrong, your UserError too. Maybe we should handle this case (raise a Warning if we detect wrong mimetype e.g.) to have a better uX, but this commit don't reflect it.
Hey @JKE-be |
so please explain it in the commit msg. Your problem is not that you really upload a svg file. But that you upload a svg file renamed as .png. |
60dcc08
to
9161482
Compare
Hey @JKE-be Sorry for the late reply was out of office. I have updated the commit message. Please let me know if there is anything else I should change. |
@robodoo override=ci/style (TRY301, to discuss if we keep or not this new rule (ruff mig), but don't rewrite this code now) Did you check what introduce this regression in saas-16.4 ? What is the difference with saas-16.3 ? |
Hey @JKE-be Yeah it looks like the change that introduced this regression was adding this to the if condition: Looks like this change was meant to add compatibility for webp's and with further testing it looks like this issue has always existed with SVG's. However, I don't think anyone would try converting vectors to raster through the file extension like that. Here's the commit in question: |
@ryce-odoo Can you elaborate on the scenario that causes the error (in the commit message) ? This looks good to me. Maybe we should find a way to make the "incoming" mimetype not trustworthy, and have |
9161482
to
aeaaa13
Compare
Hi @bso-odoo |
@ryce-odoo Nice, but what I meant was that it did not mention which upload feature you are talking about. |
Hey @bso-odoo |
@robodoo delegate=bso-odoo |
@robodoo override=ci/style |
aeaaa13
to
038ec33
Compare
Hey @bso-odoo |
a90d8b3
to
a467a7b
Compare
Hey @bso-odoo |
a467a7b
to
e6f6a83
Compare
Hey @bso-odoo |
@ryce-odoo Thanks for all the changes. It seems runbot is not happy 😓 :
|
9eb3de6
to
bc20b34
Compare
Hey @bso-odoo |
Uploading a WEBP or SVG file disguised with a proper file extension (JPG, PNG) will cause a traceback because img.image is not populated when there is an empty source, SVG, or WEBP file uploaded as this code should not be reached with these file types. The reason this occurs is because we check for the file extension when deciding to post process an image, but when we get to initializing the ImageProcess object, we then check the actual file structure to verify the type of file. This is a workaround for the time being, but should not be a final solution in future versions. Adding a null check on img.image in the _postprocess_contents method in order to avoid attempting to access the size of this image when it is null. Raises a user error in order to trigger the catch and exit the code while logging the error and 'Post processing ignored:'. Includes test for this new workflow with no errors. opw-3672250
bc20b34
to
f937106
Compare
@ryce-odoo 😬 Since this is just a console-logged message after all, I de-translated it. Really sorry 🙏 |
Hey @bso-odoo I think its ready to merge when you are. |
@robodoo r+ |
Uploading a WEBP or SVG file disguised with a proper file extension (JPG, PNG) will cause a traceback because img.image is not populated when there is an empty source, SVG, or WEBP file uploaded as this code should not be reached with these file types. The reason this occurs is because we check for the file extension when deciding to post process an image, but when we get to initializing the ImageProcess object, we then check the actual file structure to verify the type of file. This is a workaround for the time being, but should not be a final solution in future versions. Adding a null check on img.image in the _postprocess_contents method in order to avoid attempting to access the size of this image when it is null. Raises a user error in order to trigger the catch and exit the code while logging the error and 'Post processing ignored:'. Includes test for this new workflow with no errors. opw-3672250 closes #156209 Signed-off-by: Benoit Socias (bso) <bso@odoo.com>
Thanks @bso-odoo ! |
Uploading a WEBP or SVG file disguised with a proper file extension (JPG, PNG) will cause a traceback because img.image is not populated when there is an empty source, SVG, or WEBP file uploaded as this code should not be reached with these file types.
The reason this occurs is because we check for the file extension when deciding to post process an image, but when we get to initializing the ImageProcess object, we then check the actual file structure to verify the type of file.
This is a workaround for the time being, but should not be a final solution in future versions.
Adding a null check on img.image in the _postprocess_contents method in order to avoid attempting to access the size of this image when it is null.
Raises a user error in order to trigger the catch and exit the code while logging the error and 'Post processing ignored:'.
opw-3672250
I confirm I have signed the CLA and read the PR guidelines at www.odoo.com/submit-pr