Added danger alerts

This commit is contained in:
Andrew Murray 2024-03-26 06:16:09 +11:00 committed by Hugo van Kemenade
parent a7e82cbe9a
commit f932cb895f

View File

@ -46,10 +46,13 @@ Example: Using the :py:mod:`~PIL.ImageMath` module
.. py:function:: unsafe_eval(expression, environment) .. py:function:: unsafe_eval(expression, environment)
Evaluates an image expression. This uses Python's ``eval()`` function to process Evaluates an image expression.
the expression string, and carries the security risks of doing so. It is not
.. danger::
This uses Python's ``eval()`` function to process the expression string,
and carries the security risks of doing so. It is not
recommended to process expressions without considering this. recommended to process expressions without considering this.
:py:meth:`~lambda_eval` is a more secure alternative. :py:meth:`lambda_eval` is a more secure alternative.
:py:mod:`~PIL.ImageMath` only supports single-layer images. To process multi-band :py:mod:`~PIL.ImageMath` only supports single-layer images. To process multi-band
images, use the :py:meth:`~PIL.Image.Image.split` method or images, use the :py:meth:`~PIL.Image.Image.split` method or
@ -69,14 +72,17 @@ Example: Using the :py:mod:`~PIL.ImageMath` module
Expression syntax Expression syntax
----------------- -----------------
:py:meth:`~lambda_eval` expressions are functions that receive a dictionary containing * :py:meth:`lambda_eval` expressions are functions that receive a dictionary
images and operators. containing images and operators.
:py:meth:`~unsafe_eval` expressions are standard Python expressions, but theyre * :py:meth:`unsafe_eval` expressions are standard Python expressions,
evaluated in a non-standard environment. but theyre evaluated in a non-standard environment.
In both cases, you can use Pillow methods as usual, plus the following set of operators .. danger::
and functions. :py:meth:`unsafe_eval` uses Python's ``eval()`` function to process the
expression string, and carries the security risks of doing so.
It is not recommended to process expressions without considering this.
:py:meth:`lambda_eval` is a more secure alternative.
Standard Operators Standard Operators
^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^