Pillow/docs/releasenotes/9.0.1.rst

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

30 lines
925 B
ReStructuredText
Raw Normal View History

2022-02-03 01:48:56 +03:00
9.0.1
-----
Security
========
This release addresses several security problems.
:cve:`2022-24303`: Temp image removal
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-13 21:40:00 +03:00
If the path to the temporary directory on Linux or macOS
2022-02-03 01:48:56 +03:00
contained a space, this would break removal of the temporary image file after
``im.show()`` (and related actions), and potentially remove an unrelated file. This
2022-02-03 19:19:49 +03:00
has been present since PIL.
2022-02-03 01:48:56 +03:00
:cve:`2022-22817`: Restrict lambda expressions
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-13 21:52:53 +03:00
While Pillow 9.0 restricted top-level builtins available to
:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins
available to lambda expressions. These are now also restricted.
2022-02-03 01:48:56 +03:00
Other Changes
=============
Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
reports that the temporary image file was removed too quickly to be loaded into the
final application. A delay has been added.