python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-02-04 21:50:54 +03:00
Code Issues Packages Projects Releases Wiki Activity

Don't allow __ or builtins in env dictionarys for ImageMath.eval

Browse Source
This commit is contained in:
Eric Soroos 2023-10-27 11:21:18 +02:00 committed by Andrew Murray
parent c3af2643dd
commit 45c726fd4d
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/PIL/ImageMath.py
View File

@ -237,6 +237,10 @@ def eval(expression, _dict={}, **kw):
args.update(_dict) args.update(_dict)
args.update(kw) args.update(kw)
for k, v in args.items(): for k, v in args.items():
if '__' in k or hasattr(__builtins__, k):
msg = f"'{k}' not allowed"
raise ValueError(msg)
if hasattr(v, "im"): if hasattr(v, "im"):
args[k] = _Operand(v) args[k] = _Operand(v)