Added release notes and document deprecation

2024-11-10 19:56:47 +03:00 · 2024-03-26 06:32:42 +11:00 · 2024-03-26 06:32:42 +11:00 · f6596d5293
commit f6596d5293
parent f932cb895f
2 changed files with 23 additions and 3 deletions
--- a/docs/deprecations.rst
+++ b/docs/deprecations.rst
@ -92,6 +92,14 @@ Deprecated                                    Use instead
                                              :py:data:`sys.version_info`, and ``PIL.__version__``
 ============================================  ====================================================

+ImageMath eval()
+^^^^^^^^^^^^^^^^
+
+.. deprecated:: 10.3.0
+
+``ImageMath.eval()`` has been deprecated. Use :py:meth:`~PIL.ImageMath.lambda_eval` or
+:py:meth:`~PIL.ImageMath.unsafe_eval` instead.
+
 Removed features
 ----------------

--- a/docs/releasenotes/10.3.0.rst
+++ b/docs/releasenotes/10.3.0.rst
@ -4,10 +4,15 @@
 Security
 ========

-TODO
-^^^^
+ImageMath eval()
+^^^^^^^^^^^^^^^^

-TODO
+.. danger::
+  ``ImageMath.eval()`` uses Python's ``eval()`` function to process the expression
+  string, and carries the security risks of doing so. A direct replacement for this is
+  the new :py:meth:`~PIL.ImageMath.unsafe_eval`, but that carries the same risks. It is
+  not recommended to process expressions without considering this.
+  :py:meth:`~PIL.ImageMath.lambda_eval` is a more secure alternative.

 :cve:`YYYY-XXXXX`: TODO
 ^^^^^^^^^^^^^^^^^^^^^^^
@ -58,6 +63,13 @@ Deprecated                                    Use instead
                                              :py:data:`sys.version_info`, and ``PIL.__version__``
 ============================================  ====================================================

+ImageMath.eval()
+^^^^^^^^^^^^^^^^
+
+``ImageMath.eval()`` has been deprecated. Use :py:meth:`~PIL.ImageMath.lambda_eval` or
+:py:meth:`~PIL.ImageMath.unsafe_eval` instead. See earlier security notes for more
+information.
+
 API Changes
 ===========