Strip EXIF data to secure photo location

2025-01-18 17:15:13 +01:00 · 2024-10-03 12:45:03 -04:00 · 2024-10-03 12:45:03 -04:00 · 01bb0b1229
commit 01bb0b1229
parent 730fcf5883
2 changed files with 17 additions and 0 deletions
--- a/app/classes/web/routes/api/crafty/upload/index.py
+++ b/app/classes/web/routes/api/crafty/upload/index.py
@ -1,6 +1,7 @@
 import os
 import logging
 import shutil
+from PIL import Image
 from app.classes.models.server_permissions import EnumPermissionsServer
 from app.classes.shared.helpers import Helpers
 from app.classes.web.base_api_handler import BaseApiHandler
@ -281,6 +282,21 @@ class ApiFilesUploadHandler(BaseApiHandler):
                    with open(chunk_file, "rb") as infile:
                        outfile.write(infile.read())
                    os.remove(chunk_file)
+            if upload_type == "background":
+                # Strip EXIF data
+                image_path = os.path.join(file_path)
+                logger.debug("Stripping exif data from image")
+                image = Image.open(image_path)
+
+                # Get current raw pixel data from image
+                image_data = list(image.getdata())
+                # Create new image
+                image_no_exif = Image.new(image.mode, image.size)
+                # Restore pixel data
+                image_no_exif.putdata(image_data)
+
+                image_no_exif.save(image_path)
+
            logger.info(
                f"File upload completed. Filename: {self.filename}"
                f" Path: {file_path} Type: {u_type}"
--- a/requirements.txt
+++ b/requirements.txt
@ -20,3 +20,4 @@ tzlocal==5.1
 jsonschema==4.19.1
 orjson==3.9.15
 prometheus-client==0.17.1
+pillow==10.4.0