Merge branch 'sec/sanitize-image' into 'dev'

Remove EXIF data on app Background Photos See merge request crafty-controller/crafty-4!805
2025-01-31 04:46:11 +01:00 · 2025-01-19 17:49:59 +00:00 · 2025-01-19 17:49:59 +00:00 · 72520b0384
commit 72520b0384
parent a4856c5502 0b20c4f9db
3 changed files with 18 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,6 +9,7 @@ TBD
 - Bump requests to resolve yank for CVE-2024-35195 ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/808))
 - Better handle malformed mcping data ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/799))
 ### Tweaks
+- Remove EXIF image data on app Background Photos ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/805))
 - Bump Docker base image `22.04` -> `24.04` ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/812))
 - Bump python pip `2.0.3` -> `24.3.1` ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/812))
 - Bump python setuptools `50.3.2` -> `75.6.0` ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/812))
--- a/app/classes/web/routes/api/crafty/upload/index.py
+++ b/app/classes/web/routes/api/crafty/upload/index.py
@ -1,6 +1,7 @@
 import os
 import logging
 import shutil
+from PIL import Image
 from app.classes.models.server_permissions import EnumPermissionsServer
 from app.classes.shared.helpers import Helpers
 from app.classes.web.base_api_handler import BaseApiHandler
@ -295,6 +296,21 @@ class ApiFilesUploadHandler(BaseApiHandler):
                    with open(chunk_file, "rb") as infile:
                        outfile.write(infile.read())
                    os.remove(chunk_file)
+            if upload_type == "background":
+                # Strip EXIF data
+                image_path = os.path.join(file_path)
+                logger.debug("Stripping exif data from image")
+                image = Image.open(image_path)
+
+                # Get current raw pixel data from image
+                image_data = list(image.getdata())
+                # Create new image
+                image_no_exif = Image.new(image.mode, image.size)
+                # Restore pixel data
+                image_no_exif.putdata(image_data)
+
+                image_no_exif.save(image_path)
+
            logger.info(
                f"File upload completed. Filename: {self.filename}"
                f" Path: {file_path} Type: {u_type}"
--- a/requirements.txt
+++ b/requirements.txt
@ -20,3 +20,4 @@ tzlocal==5.1
 jsonschema==4.19.1
 orjson==3.9.15
 prometheus-client==0.17.1
+pillow==10.4.0