mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-11-10 19:56:47 +03:00
40 lines
1.1 KiB
ReStructuredText
40 lines
1.1 KiB
ReStructuredText
9.0.1
|
|
-----
|
|
|
|
Security
|
|
========
|
|
|
|
This release addresses several security problems.
|
|
|
|
Fix CVE-2022-24303
|
|
^^^^^^^^^^^^^^^^^^
|
|
|
|
.. note:: More information about this vulnerability included in database record :cve:`2022-24303`
|
|
|
|
Temp image removal
|
|
++++++++++++++++++
|
|
|
|
If the path to the temporary directory on Linux or macOS
|
|
contained a space, this would break removal of the temporary image file after
|
|
``im.show()`` (and related actions), and potentially remove an unrelated file. This
|
|
has been present since PIL.
|
|
|
|
Fix CVE-2022-24303
|
|
^^^^^^^^^^^^^^^^^^
|
|
|
|
.. note:: More information about this vulnerability included in database record :cve:`2022-22817`
|
|
|
|
Restrict lambda expressions
|
|
+++++++++++++++++++++++++++
|
|
|
|
While Pillow 9.0 restricted top-level builtins available to
|
|
:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda
|
|
expressions. These are now also restricted.
|
|
|
|
Other Changes
|
|
=============
|
|
|
|
Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
|
|
reports that the temporary image file was removed too quickly to be loaded into the
|
|
final application. A delay has been added.
|