47 lines
1.6 KiB
Diff
47 lines
1.6 KiB
Diff
From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001
|
|
From: Eric Soroos <eric-github@soroos.net>
|
|
Date: Thu, 25 Jan 2024 13:23:56 +0100
|
|
Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
|
|
ImageMath.eval
|
|
|
|
---
|
|
Tests/test_imagemath.py | 5 +++++
|
|
src/PIL/ImageMath.py | 5 +++++
|
|
2 files changed, 10 insertions(+)
|
|
|
|
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
|
index d3b7ba3..2467078 100644
|
|
--- a/Tests/test_imagemath.py
|
|
+++ b/Tests/test_imagemath.py
|
|
@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
|
|
self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
|
|
self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
|
|
|
|
+ def test_prevent_double_underscores(self):
|
|
+ self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
|
|
+
|
|
+ def test_prevent_builtins(self):
|
|
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
|
|
|
|
def test_logical(self):
|
|
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
|
|
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
|
index 13839e4..94108cf 100644
|
|
--- a/src/PIL/ImageMath.py
|
|
+++ b/src/PIL/ImageMath.py
|
|
@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
|
|
|
|
# build execution namespace
|
|
args = ops.copy()
|
|
+ for k in list(_dict.keys()) + list(kw.keys()):
|
|
+ if "__" in k or hasattr(builtins, k):
|
|
+ msg = f"'{k}' not allowed"
|
|
+ raise ValueError(msg)
|
|
+
|
|
args.update(_dict)
|
|
args.update(kw)
|
|
for k, v in list(args.items()):
|
|
--
|
|
2.43.0
|
|
|