mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-25 17:36:18 +03:00
Include further builtins
This commit is contained in:
parent
0ca3c33c59
commit
557ba59d13
|
@ -69,6 +69,11 @@ def test_prevent_double_underscores():
|
|||
ImageMath.eval("1", {"__": None})
|
||||
|
||||
|
||||
def test_prevent_builtins():
|
||||
with pytest.raises(ValueError):
|
||||
ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
|
||||
|
||||
|
||||
def test_logical():
|
||||
assert pixel(ImageMath.eval("not A", images)) == 0
|
||||
assert pixel(ImageMath.eval("A and B", images)) == "L 2"
|
||||
|
|
|
@ -62,10 +62,13 @@ output only the quantization and Huffman tables for the image.
|
|||
Security
|
||||
========
|
||||
|
||||
TODO
|
||||
^^^^
|
||||
Restricted environment keys for ImageMath.eval
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
TODO
|
||||
:cve:`2023-50447`: If an attacker has control over the keys passed to the
|
||||
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
|
||||
arbitrary code. To prevent this, keys matching the names of builtins and keys
|
||||
containing double underscores will now raise a :py:exc:`ValueError`.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
|
|
@ -235,7 +235,7 @@ def eval(expression, _dict={}, **kw):
|
|||
# build execution namespace
|
||||
args = ops.copy()
|
||||
for k in list(_dict.keys()) + list(kw.keys()):
|
||||
if "__" in k or hasattr(__builtins__, k):
|
||||
if "__" in k or hasattr(builtins, k):
|
||||
msg = f"'{k}' not allowed"
|
||||
raise ValueError(msg)
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user