[Django] #30252: ImageField's to_python() stores reference to closed Image object

[Django]

#30252: ImageField's to_python() stores reference to closed Image object
------------------------------------------------+------------------------
               Reporter:  Felix Dreissig        |          Owner:  nobody
                   Type:  Bug                   |         Status:  new
              Component:  File uploads/storage  |        Version:  2.1
               Severity:  Normal                |       Keywords:
           Triage Stage:  Unreviewed            |      Has patch:  0
    Needs documentation:  0                     |    Needs tests:  0
Patch needs improvement:  0                     |  Easy pickings:  0
                  UI/UX:  0                     |
------------------------------------------------+------------------------
 In django.forms.fields.ImageField's `to_python()` method, an uploaded
 image is validated by `open()`ing a PIL.Image object from it and calling
 `verify()` on that. Afterwards, the Image object is saved to an `image`
 attribute of the uploaded file (i.e. an InMemoryUploadedFile). According
 to a comment in the source, this happens so that "subclasses can reuse it
 for their own validation".

 Pillow closes an Image after `verify()`ing and the docs
 
[https://pillow.readthedocs.io/en/stable/reference/Image.html#PIL.Image.Image.verify
 state] that it cannot be used after calling `verify` on it:

   If you need to load the image after using this method, you must reopen
 the image file.

 For me, this resulted in the following error when trying to explicitly
 call `save()` on the Image, but similar effects will probably happen for
 any operation:

 {{{
   File ".../lib/python3.6/site-packages/PIL/Image.py", line 1960, in save
     self.load()
   File ".../lib/python3.6/site-packages/PIL/ImageFile.py", line 165, in
 load
     seek = self.fp.seek
 AttributeError: 'NoneType' object has no attribute 'seek'
 }}}

 This could be related to #13750, but I don't think so.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30252>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/046.c1e703af36314f01f3bfbcba5ba850de%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.