2022-02-03 01:48:56 +03:00
|
|
|
9.0.1
|
|
|
|
-----
|
|
|
|
|
|
|
|
Security
|
|
|
|
========
|
|
|
|
|
|
|
|
This release addresses several security problems.
|
|
|
|
|
2024-03-14 20:58:05 +03:00
|
|
|
:cve:`2022-24303`: Temp image removal
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2024-03-13 21:40:00 +03:00
|
|
|
|
2024-03-13 21:15:16 +03:00
|
|
|
If the path to the temporary directory on Linux or macOS
|
2022-02-03 01:48:56 +03:00
|
|
|
contained a space, this would break removal of the temporary image file after
|
|
|
|
``im.show()`` (and related actions), and potentially remove an unrelated file. This
|
2022-02-03 19:19:49 +03:00
|
|
|
has been present since PIL.
|
2022-02-03 01:48:56 +03:00
|
|
|
|
2024-03-14 20:58:05 +03:00
|
|
|
:cve:`2022-22817`: Restrict lambda expressions
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2024-03-13 21:52:53 +03:00
|
|
|
|
2024-03-13 21:15:16 +03:00
|
|
|
While Pillow 9.0 restricted top-level builtins available to
|
2024-03-25 12:38:52 +03:00
|
|
|
:py:meth:`!PIL.ImageMath.eval`, it did not prevent builtins
|
2024-03-14 20:58:05 +03:00
|
|
|
available to lambda expressions. These are now also restricted.
|
2022-02-03 01:48:56 +03:00
|
|
|
|
|
|
|
Other Changes
|
|
|
|
=============
|
|
|
|
|
|
|
|
Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
|
|
|
|
reports that the temporary image file was removed too quickly to be loaded into the
|
|
|
|
final application. A delay has been added.
|