Don't allow __ or builtins in env dictionarys for ImageMath.eval

2025-01-26 09:14:27 +03:00 · 2023-10-27 11:21:18 +02:00 · 2023-10-27 11:21:18 +02:00 · 45c726fd4d
commit 45c726fd4d
parent c3af2643dd
1 changed files with 4 additions and 0 deletions
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@ -237,6 +237,10 @@ def eval(expression, _dict={}, **kw):
    args.update(_dict)
    args.update(kw)
    for k, v in args.items():
+        if '__' in k or hasattr(__builtins__, k):
+            msg = f"'{k}' not allowed"
+            raise ValueError(msg)
+
        if hasattr(v, "im"):
            args[k] = _Operand(v)