[Image-SIG] PIL Consuming All System Resources

Yury V. Zaytsev yury at shurup.com
Mon May 31 08:31:49 CEST 2010

On Sun, 2010-05-30 at 14:59 -0700, Edward Cannon wrote:
> Another method used by many websites is to put a limit on uploaded  
> file size. This has the double benifit of saving on bandwidth as well.  
> Facebook uses 5MB

This is no magic bullet, though. As with ZIP bombs, you can craft a
malicious image in such a way, that taking few hundred kilobytes it will
still have a giant resolution and when unpacked take many gigabytes of
memory to make your server go into swap and die.

Hey, by the way... If you don't ulimit your Python processes, that's
pretty lame. A single minor mistake / lack of a sanity check in the code
and a successful DOS against your server is warranted.
Sincerely yours,
Yury V. Zaytsev

More information about the Image-SIG mailing list