python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-26 01:04:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Restrict builtins within lambdas for ImageMath.eval

Browse Source
This commit is contained in:
Andrew Murray 2022-01-10 21:49:55 +11:00
parent 75b69dd239
commit c930be0758
2 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Tests/test_imagemath.py
View File

@ -52,9 +52,17 @@ def test_ops():
assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0" assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
def test_prevent_exec(): @pytest.mark.parametrize(
"expression",
(
"exec('pass')",
"(lambda: exec('pass'))()",
"(lambda: (lambda: exec('pass'))())()",
),
)
def test_prevent_exec(expression):
with pytest.raises(ValueError): with pytest.raises(ValueError):
ImageMath.eval("exec('pass')") ImageMath.eval(expression)
def test_logical(): def test_logical():

15
src/PIL/ImageMath.py
View File

@ -246,11 +246,18 @@ def eval(expression, _dict={}, **kw):
if hasattr(v, "im"): if hasattr(v, "im"):
args[k] = _Operand(v) args[k] = _Operand(v)
code = compile(expression, "<string>", "eval") compiled_code = compile(expression, "<string>", "eval")
for name in code.co_names:
if name not in args and name != "abs":
raise ValueError(f"'{name}' not allowed")
def scan(code):
for const in code.co_consts:
if type(const) == type(compiled_code):
scan(const)
for name in code.co_names:
if name not in args and name != "abs":
raise ValueError(f"'{name}' not allowed")
scan(compiled_code)
out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args) out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
try: try:
return out.im return out.im