mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-09-21 19:38:57 +03:00
24 lines
799 B
ReStructuredText
24 lines
799 B
ReStructuredText
9.0.1
|
|
-----
|
|
|
|
Security
|
|
========
|
|
|
|
This release addresses several security problems.
|
|
|
|
:cve:`CVE-2022-24303`: If the path to the temporary directory on Linux or macOS
|
|
contained a space, this would break removal of the temporary image file after
|
|
``im.show()`` (and related actions), and potentially remove an unrelated file. This
|
|
has been present since PIL.
|
|
|
|
:cve:`CVE-2022-22817`: While Pillow 9.0 restricted top-level builtins available to
|
|
:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda
|
|
expressions. These are now also restricted.
|
|
|
|
Other Changes
|
|
=============
|
|
|
|
Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
|
|
reports that the temporary image file was removed too quickly to be loaded into the
|
|
final application. A delay has been added.
|