1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat, 30 Dec 2023 09:30:12 +1100
Subject: [PATCH] Include further builtins
Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
CVE: CVE-2023-50447
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
Tests/test_imagemath.py | 4 ++++
src/PIL/ImageMath.py | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index 14a58a532..5bba832e2 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase):
with pytest.raises(ValueError):
ImageMath.eval("1", {"__": None})
+ def test_prevent_builtins():
+ with pytest.raises(ValueError):
+ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
+
def test_logical(self):
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 776604e3f..c6bc22180 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw):
# build execution namespace
args = ops.copy()
for k in list(_dict.keys()) + list(kw.keys()):
- if "__" in k or hasattr(__builtins__, k):
+ if "__" in k or hasattr(builtins, k):
msg = f"'{k}' not allowed"
raise ValueError(msg)
--
2.25.1
|
