Fix geotiff unbounded allocation DoS and VRT path traversal#1189
Merged
brendancol merged 2 commits intomasterfrom Apr 14, 2026
Merged
Fix geotiff unbounded allocation DoS and VRT path traversal#1189brendancol merged 2 commits intomasterfrom
brendancol merged 2 commits intomasterfrom
Conversation
Two security fixes for the geotiff subpackage: 1. Add a configurable max_pixels guard to read_to_array() and all internal read functions (_read_strips, _read_tiles, _read_cog_http). A crafted TIFF with fabricated header dimensions could previously trigger multi-TB allocations. The default limit is 1 billion pixels (~4 GB for float32 single-band), overridable via max_pixels kwarg. Fixes #1184. 2. Canonicalize VRT source filenames with os.path.realpath() after resolving relative paths. Previously, a VRT file with "../" in SourceFilename could read arbitrary files outside the VRT directory. Fixes #1185.
4 tasks
os.path.realpath() converts Unix-style paths to Windows paths on Windows (e.g. /data/tile.tif becomes D:\data\tile.tif). Use os.path.realpath() in the assertion so it matches the production code's canonicalization on all platforms.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
max_pixelsguard toread_to_array()and all internal read functions, preventing memory exhaustion from crafted TIFF headers with fabricated dimensions. Default limit is 1 billion pixels (~4 GB for float32). Fixes Unbounded allocation from TIFF header dimensions allows memory DoS #1184.os.path.realpath()to prevent path traversal via../in SourceFilename XML elements. Fixes VRT path traversal via ../ in SourceFilename #1185.Test plan
test_security.pycovering both fixes_check_dimensionsrejects oversized allocations and accepts normal ones_read_stripsand_read_tilesreject crafted headers with huge dimensionsread_to_arraypassesmax_pixelsthrough and normal reads are unaffected../are canonicalized and no longer contain traversal components../are also canonicalized