From 4d46d981caa2c4f9fa3fd425cab8fb02a817d825 Mon Sep 17 00:00:00 2001
From: Emmanuel Viennet <emmanuel.viennet@gmail.com>
Date: Fri, 10 Jan 2025 21:03:46 +0100
Subject: [PATCH] Enhance error checking on photo upload

---
 app/forms/main/config_cas.py |  2 +-
 app/scodoc/sco_photos.py     | 13 +++++++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/app/forms/main/config_cas.py b/app/forms/main/config_cas.py
index 5b1a18fa5..0d453cf32 100644
--- a/app/forms/main/config_cas.py
+++ b/app/forms/main/config_cas.py
@@ -92,7 +92,7 @@ class ConfigCASForm(FlaskForm):
         dont le premier groupe doit donner l'identifiant CAS.
         Si non fournie, le super-admin devra saisir cet identifiant pour chaque compte.
         Par exemple, <tt>(.*)@</tt> indique que le mail sans le domaine (donc toute
-        la partie avant le <tt>@</tt>) est l'identifiant.
+        la partie avant le <tt>@</tt> est l'identifiant).
         Pour prendre le mail complet, utiliser <tt>(.*)</tt>.
         """,
         validators=[Optional(), check_cas_uid_from_mail_regexp],
diff --git a/app/scodoc/sco_photos.py b/app/scodoc/sco_photos.py
index f034da876..62cecb422 100755
--- a/app/scodoc/sco_photos.py
+++ b/app/scodoc/sco_photos.py
@@ -319,16 +319,21 @@ def save_image(etud: Identite, data: bytes):
     data_file = io.BytesIO()
     data_file.write(data)
     data_file.seek(0)
-    img = PILImage.open(data_file)
+    try:
+        img = PILImage.open(data_file)
+    except PIL.Image.DecompressionBombError as exc:
+        log("sco_photos.save_image: DecompressionBombError")
+        raise ScoValueError("Fichier image invalide ou image trop grande") from exc
     filename = get_new_filename(etud)
     path = os.path.join(PHOTO_DIR, filename)
-    log("saving %dx%d jpeg to %s" % (img.size[0], img.size[1], path))
+    log(f"saving {img.size[0]}x{img.size[0]} jpeg to {path}")
     img = img.convert("RGB")
     img.save(path + IMAGE_EXT, format="JPEG", quality=92)
     # resize:
     img = scale_height(img)
-    log("saving %dx%d jpeg to %s.h90" % (img.size[0], img.size[1], filename))
-    img.save(path + H90 + IMAGE_EXT, format="JPEG", quality=92)
+    path = path + H90 + IMAGE_EXT
+    log(f"saving {img.size[0]}x{img.size[0]} jpeg to {path}")
+    img.save(path, format="JPEG", quality=92)
     return filename