Terms

• I have searched all open bug reports
• I agree to follow activist's Code of Conduct

Behavior

Description

The scrub_exif() function in backend/content/serializers.py contains security vulnerabilities that could lead to denial of service attacks, memory exhaustion, and bypass of security controls.

Affected Code

The vulnerability occurs in:
scrub_exif() function (lines 74-133)

Steps to Reproduce

1. Upload a large image file (>10MB) through any image upload endpoint
2. Upload a non-image file with image extension
3. Upload an image with extremely large dimensions but small file size (decompression bomb)
4. Observe that current code processes these without proper validation

Expected Behavior

• Files exceeding size limits should be rejected with clear error messages
• Non-image files should be detected and rejected

Actual Behavior

• Generic except Exception catches all errors and allows malicious files through
• No file size validation before processing