upload_photo endpoint stored raw uploaded bytes verbatim — EXIF GPS/device fingerprint leaked, polyglot files (image + appended payload) survived MIME check and were served back with image/* content-type. Add services/image_sanitizer.py: open via Pillow, force full decode, drop EXIF, normalize to RGB, cap longest edge at 2400px, re-encode as JPEG quality=85. Pipe upload_photo through it; reject undecodable input with 400. Pin Pillow>=10.3.0 explicitly (was transitive via weasyprint). Closes finding #6 from 2026-05-24 trade-in audit. |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| admin.py | ||
| brand.py | ||
| geocode.py | ||
| search.py | ||
| trade_in.py | ||