Restrict builtins within lambdas for ImageMath.eval

2025-11-04 09:57:43 +03:00 · 2022-01-10 21:49:55 +11:00 · 2022-01-10 21:49:55 +11:00 · dd46100bdc
commit dd46100bdc
parent eccd853d14
2 changed files with 21 additions and 6 deletions
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@ -52,9 +52,17 @@ def test_ops():
    assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"


-def test_prevent_exec():
+@pytest.mark.parametrize(
+    "expression",
+    (
+        "exec('pass')",
+        "(lambda: exec('pass'))()",
+        "(lambda: (lambda: exec('pass'))())()",
+    ),
+)
+def test_prevent_exec(expression):
    with pytest.raises(ValueError):
-        ImageMath.eval("exec('pass')")
+        ImageMath.eval(expression)


 def test_logical():
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@ -240,11 +240,18 @@ def eval(expression, _dict={}, **kw):
        if hasattr(v, "im"):
            args[k] = _Operand(v)

-    code = compile(expression, "<string>", "eval")
-    for name in code.co_names:
-        if name not in args and name != "abs":
-            raise ValueError(f"'{name}' not allowed")
+    compiled_code = compile(expression, "<string>", "eval")

+    def scan(code):
+        for const in code.co_consts:
+            if type(const) == type(compiled_code):
+                scan(const)
+
+        for name in code.co_names:
+            if name not in args and name != "abs":
+                raise ValueError(f"'{name}' not allowed")
+
+    scan(compiled_code)
    out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
    try:
        return out.im