blob: 13fbaf6d788e34b0c781f4679576b013a9dd05ed (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
From 45c726fd4daa63236a8f3653530f297dc87b160a
From: Eric Soroos <eric-github@soroos.net>
Date: Fri Oct 27 11:21:18 2023 +0200
Subject: [PATCH] python3-pillow: Don't allow __ or builtins in env dictionarys
CVE: CVE-2023-50447
Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
---
src/PIL/ImageMath.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 71872a3fb..923a8eeae 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -240,6 +240,10 @@ def eval(expression, _dict={}, **kw):
args.update(_dict)
args.update(kw)
for k, v in args.items():
+ if '__' in k or hasattr(__builtins__, k):
+ msg = f"'{k}' not allowed"
+ raise ValueError(msg)
+
if hasattr(v, "im"):
args[k] = _Operand(v)
--
2.40.0
|
