From 8f9e4f7e658fee5e6d64323fa6576285e9be653b Mon Sep 17 00:00:00 2001
From: pax <paxxe@protonmail.com>
Date: Sat, 11 Apr 2026 16:21:37 -0500
Subject: [PATCH] =?UTF-8?q?security:=20fix=20#8=20=E2=80=94=20drop=20dupli?=
 =?UTF-8?q?cate=20MAX=5FIMAGE=5FPIXELS=20set=20from=20cache.py?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The cap is now installed by core/__init__.py (previous commit), so
the line in cache.py is redundant. Removing it leaves a single
authoritative location for the security-critical PIL setting.

Audit-Ref: SECURITY_AUDIT.md finding #8
Severity: Low
---
 booru_viewer/core/cache.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/booru_viewer/core/cache.py b/booru_viewer/core/cache.py
index 0636f73..9e82ea4 100644
--- a/booru_viewer/core/cache.py
+++ b/booru_viewer/core/cache.py
@@ -33,10 +33,8 @@ MAX_DOWNLOAD_BYTES = 500 * 1024 * 1024  # 500 MB
 # regression risk of the streaming rewrite is zero.
 STREAM_TO_DISK_THRESHOLD = 50 * 1024 * 1024  # 50 MB
 
-# Cap PIL's auto-DOS guard at 256M pixels (~1 GB raw). Default warns
-# silently above ~89M; we want a hard fail so DecompressionBombError
-# can be caught and treated as a download failure.
-Image.MAX_IMAGE_PIXELS = 256 * 1024 * 1024
+# PIL's MAX_IMAGE_PIXELS cap is set in core/__init__.py so any
+# `booru_viewer.core.*` import installs it first — see audit #8.
 
 # Defends `_convert_ugoira_to_gif` against zip bombs. A real ugoira is
 # typically <500 frames at 1080p; these caps comfortably allow legit