python-pillow/SOURCES/CVE-2023-50447.patch

47 lines
1.6 KiB
Diff

From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 25 Jan 2024 13:23:56 +0100
Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
ImageMath.eval
---
Tests/test_imagemath.py | 5 +++++
src/PIL/ImageMath.py | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index d3b7ba3..2467078 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
+ def test_prevent_double_underscores(self):
+ self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
+
+ def test_prevent_builtins(self):
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
def test_logical(self):
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 13839e4..94108cf 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
# build execution namespace
args = ops.copy()
+ for k in list(_dict.keys()) + list(kw.keys()):
+ if "__" in k or hasattr(builtins, k):
+ msg = f"'{k}' not allowed"
+ raise ValueError(msg)
+
args.update(_dict)
args.update(kw)
for k, v in list(args.items()):
--
2.43.0