What validation tests are applied to ImageField?

[john2095]

The documentation states about the ImageField

"Like FileField, but validates that the uploaded object is a valid
image. Has two extra optional arguments:"

http://docs.djangoproject.com/en/dev/ref/models/fields/#imagefield

I went cruising the source to try and work out what tests are
implemented to define "a valid image" but didn't get much
satisfaction. There seemed to be a fair bit of talk about dimensions
but nothing about much else. I was thinking/hoping to find something
which inspected the binary stream to ensure the .jpg/.gif/.png/.bmp
fit its applicable formats.

Question is "What is the definition of a 'valid image'" in this
context?"
and, optionally, where is the source code for that?

t.i.a.

[creecode]

Hello John,

On Mar 15, 7:56 pm, john2095 <john...@pobox.com> wrote:

> Question is "What is the definition of a 'valid image'" in this
> context?"
> and, optionally, where is the source code for that?

My understanding from what I've read is that most of the heavy lifting
for image handling is done by PIL (Python Imaging Library) <
http://www.pythonware.com/products/pil/ >.

I've been getting into using virtualenv and as part of that I've been
doing some PIL easy_installs. One PIL install was built with the jpeg
library and when I tried uploading a jpeg image file, all went well.
Another PIL was built without the jpeg library and when I tried to
upload a jpeg image file, Django complained that the image wasn't in a
recognized format.

So, I assume Django is passing the file to PIL and asking if the file
is in a format that PIL can deal with and is in a valid format.

The PIL documentation may be able to clarify how it validates images.

Toodle-loooooooo............
creecode

[john2095]

> I assume Django is passing the file to PIL and asking if the file
> is in a format that PIL can deal with and is in a valid format.

My question is about the assumption...

As far as I can find, it actually only uses PIL to read the file and
return the dimensions. The code looks like if PIL throws an error
because it can't parse the file then the error will be ignored. I'll
have to rig up a test to see what really happens here. See:

http://code.djangoproject.com/browser/django/trunk/django/core/files/images.py#L35

I can't find another usage. At this point, I suspect that if any
errors pop up they are the side-effect of trying to establish the
dimensions and not any specific attempt to validate the image against
a set of criteria.

For those who missed it my question it was:

What constitutes a 'valid' image?
The documentation states "ImageField... Like FileField, but validates

that the uploaded object is a valid image."

Maybe I should post this on the developers list? Would that upset
them?

[Kenneth Gonsalves]

On Wednesday 17 Mar 2010 11:21:45 am john2095 wrote:
> Maybe I should post this on the developers list? Would that upset
> them?
>

most of them read this list
--
regards
Kenneth Gonsalves
Senior Associate
NRC-FOSS
http://certificate.nrcfoss.au-kbc.org.in

[pjrh...@gmail.com]

> What constitutes a 'valid' image?
> The documentation states "ImageField... Like FileField, but validates
> that the uploaded object is a valid image."

I haven't read through the code, but the error must be caught
somewhere because I just tested it out.

Trying to upload in the admin a random file with a png extension
throws a ValidationError:

"Upload a valid image. The file you uploaded was either not an image
or a corrupted image."

My guess is just that if PIL can open it, its an image, if not, it
throws the error.

Peter

[Karen Tracey]

On Wed, Mar 17, 2010 at 1:51 AM, john2095 <joh...@pobox.com> wrote:

Maybe I should post this on the developers list?

 
No. The topic for django-developers is the development of Django itself. Questions about the use of Django are off-topic and will be directed elsewhere.

Validation of image fields is done at the form field level, see:

http://code.djangoproject.com/browser/django/trunk/django/forms/fields.py#L459

Karen

[thanos]

DJango's ImageFields uses the PIL verify to check the image.

trial_image = Image.open(file)
trial_image.verify()

See: http://www.pythonware.com/library/pil/handbook/image.htm

[john2095]

Perfect. Thanks. That's what I was chasing.

On Mar 17, 11:54 pm, Karen Tracey <kmtra...@gmail.com> wrote:
>
> Validation of image fields is done at the form field level, see:
>

> http://code.djangoproject.com/browser/django/trunk/django/forms/field...
>
> Karen

[john2095]

But does this all amount to an expectation that it will restrict the
upload to an image??

I've got this in my model:

class Photo(models.Model):
image = models.ImageField(upload_to='photos')

and this in my view:
try:
p = Photo()
p.image = request.FILES['Filedata']
p.save()
return HttpResponse('OK')
...

Yet if I do this:

curl -F Filedata=@nasty.exe http://mysite/photo/upload/

It seems quite happy to save the .exe

Can someone please confirm the same test result? I wouldn't like to
say "security advisory" prematurely.

Thanks.

[Tom Evans]

On Mon, Mar 22, 2010 at 6:51 AM, john2095 <joh...@pobox.com> wrote:
> But does this all amount to an expectation that it will restrict the
> upload to an image??
>
> I've got this in my model:
>
> class Photo(models.Model):
>    image = models.ImageField(upload_to='photos')
>
> and this in my view:
>    try:
>        p = Photo()
>        p.image = request.FILES['Filedata']
>        p.save()
>        return HttpResponse('OK')
> ...
>
> Yet if I do this:
>
> curl -F Filedata=@nasty.exe http://mysite/photo/upload/
>
> It seems quite happy to save the .exe
>
> Can someone please confirm the same test result?   I wouldn't like to
> say "security advisory" prematurely.
>
>
> Thanks.
>

Models don't have validation, forms have validation. If it passed
through a forms.ImageField it would get rejected as invalid.

Cheers

Tom

[john2095]

Thanks Tom. I don't know where it comes from but it seems deeply
ingrained for me to expect the model to enforce the atomicity/
integrity of its objects.

Just for anyone who stumbles over this thread and wants to know how it
ends...

In this application I'm not using a form (uploadify is a flash-based
file sender) but I can still take advantage of the django.forms
validation routines by invoking ImageField without a form. This seems
to work:

def upload(request):
from django.forms import ImageField, ValidationError
try:
photo = ImageField().clean(request.FILES['Filedata'])
except ValidationError:
return HttpResponse("I don't think that's an image.")

On Mar 22, 9:04 pm, Tom Evans <tevans...@googlemail.com> wrote:

> On Mon, Mar 22, 2010 at 6:51 AM, john2095 <john...@pobox.com> wrote:
> > But does this all amount to an expectation that it will restrict the
> > upload to an image??
>
> > I've got this in my model:
>
> > class Photo(models.Model):
> >    image = models.ImageField(upload_to='photos')
>
> > and this in my view:
> >    try:
> >        p = Photo()
> >        p.image = request.FILES['Filedata']
> >        p.save()
> >        return HttpResponse('OK')
> > ...
>
> > Yet if I do this:
>

> > curl -F Fileda...@nasty.exehttp://mysite/photo/upload/

[mtnhiker]

Brilliant!  Thanks (John) for following through.  I had the same questions with the same responses you had to your answers. And I also don't have a form that starts the view.  I have an image type that is not common (but is a standard), so hoped that the documentation comment "validates that the uploaded object is a valid image" would be I could add a method so validate.  I think you got enough in your responses to either let me do that or at least prove I can use the vanilla mechanism to do so. (I see this thread was long ago and I'm now using django 2.0 so it could be OBE)