Piexif icon indicating copy to clipboard operation
Piexif copied to clipboard
verified publisher icon hMatoba

Vulnerability in API

Open homm opened this issue 4 years ago • 2 comments

piexif.load accepts both filenames and raw data.

        elif maybe_image and data[0:2] in (b"\x49\x49", b"\x4d\x4d"):  # TIFF
            self.tiftag = data
        elif maybe_image and data[0:4] == b"RIFF" and data[8:12] == b"WEBP":
            self.tiftag = _webp.get_exif(data)
        elif maybe_image and data[0:4] == b"Exif":  # Exif
            self.tiftag = data[6:]
        else:
            with open(data, 'rb') as f:

The malefactor can craft a file with arbitrary data in exif chunk of an image.

im = Image.open("Image.jpg")
exif = piexif.load(im.info["exif"])

As a result piexif will try to open a file with the path stored in im.info["exif"] and also will try to read it.

Solution

piexif should newer try to open files when name is bytes, not str.

homm avatar Dec 08 '21 10:12 homm

That's a great observation. This is probably part of the reason most python I/O libraries have separate load(file: IO) and loads(data: bytes) and dump/s function calls. The other is avoiding path/data ambiguity, which can have some really nasty corner cases (a POSIX path can contain essentially any byte, save for 0x00 IIRC). Basically there is no viable, reliable, unambiguous way to determine if a collection of bytes is a path or just data.

xkortex avatar Dec 17 '21 18:12 xkortex

There's a vulnerability for this now getting picked up by threat scanners. FYI.

https://security.snyk.io/vuln/SNYK-PYTHON-PIEXIF-2312874

amiantos avatar Jan 17 '24 21:01 amiantos