python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-08-20 20:24:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

Forbid lambda expressions in ImageMath.eval()

Browse Source
This commit is contained in:
Felipe Rosa de Almeida 2022-01-16 19:11:21 -03:00
parent 730e24e163
commit 6790f1869a
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Tests/test_imagemath.py
View File

@ -52,9 +52,10 @@ def test_ops():
assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0" assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
def test_prevent_exec(): @pytest.mark.parametrize("expression", ("exec('pass')", "(lambda: None)()"))
def test_prevent_exec(expression):
with pytest.raises(ValueError): with pytest.raises(ValueError):
ImageMath.eval("exec('pass')") ImageMath.eval(expression)
def test_logical(): def test_logical():

3
src/PIL/ImageMath.py
View File

@ -244,6 +244,9 @@ def eval(expression, _dict={}, **kw):
for name in code.co_names: for name in code.co_names:
if name not in args and name != "abs": if name not in args and name != "abs":
raise ValueError(f"'{name}' not allowed") raise ValueError(f"'{name}' not allowed")
for const in code.co_consts:
if getattr(const, "co_name", None) == "<lambda>":
raise ValueError("Lambda expressions are not allowed")
out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args) out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
try: try: