Include further builtins

This commit is contained in:
Andrew Murray 2023-12-30 09:30:12 +11:00
parent 0ca3c33c59
commit 557ba59d13
3 changed files with 12 additions and 4 deletions

View File

@ -69,6 +69,11 @@ def test_prevent_double_underscores():
ImageMath.eval("1", {"__": None})
def test_prevent_builtins():
with pytest.raises(ValueError):
ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
def test_logical():
assert pixel(ImageMath.eval("not A", images)) == 0
assert pixel(ImageMath.eval("A and B", images)) == "L 2"

View File

@ -62,10 +62,13 @@ output only the quantization and Huffman tables for the image.
Security
========
TODO
^^^^
Restricted environment keys for ImageMath.eval
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TODO
:cve:`2023-50447`: If an attacker has control over the keys passed to the
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
arbitrary code. To prevent this, keys matching the names of builtins and keys
containing double underscores will now raise a :py:exc:`ValueError`.
Other Changes
=============

View File

@ -235,7 +235,7 @@ def eval(expression, _dict={}, **kw):
# build execution namespace
args = ops.copy()
for k in list(_dict.keys()) + list(kw.keys()):
if "__" in k or hasattr(__builtins__, k):
if "__" in k or hasattr(builtins, k):
msg = f"'{k}' not allowed"
raise ValueError(msg)