Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
python-Pillow.35230
CVE-2023-50447-environment-keys-filtering.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-50447-environment-keys-filtering.patch of Package python-Pillow.35230
From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001 From: Eric Soroos <eric-github@soroos.net> Date: Fri, 27 Oct 2023 11:21:18 +0200 Subject: [PATCH 1/3] Don't allow __ or builtins in env dictionarys for ImageMath.eval --- src/PIL/ImageMath.py | 4 ++++ 1 file changed, 4 insertions(+) Index: Pillow-7.2.0/src/PIL/ImageMath.py =================================================================== --- Pillow-7.2.0.orig/src/PIL/ImageMath.py +++ Pillow-7.2.0/src/PIL/ImageMath.py @@ -240,6 +240,11 @@ def eval(expression, _dict={}, **kw): # build execution namespace args = ops.copy() + for k in list(_dict.keys()) + list(kw.keys()): + if "__" in k or hasattr(builtins, k): + msg = "'{%s}' not allowed" % k + raise ValueError(msg) + args.update(_dict) args.update(kw) for k, v in list(args.items()): Index: Pillow-7.2.0/Tests/test_imagemath.py =================================================================== --- Pillow-7.2.0.orig/Tests/test_imagemath.py +++ Pillow-7.2.0/Tests/test_imagemath.py @@ -1,3 +1,5 @@ +import pytest + from PIL import Image, ImageMath @@ -50,6 +52,16 @@ def test_ops(): assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0" +def test_prevent_double_underscores(): + with pytest.raises(ValueError): + ImageMath.eval("1", {"__": None}) + + +def test_prevent_builtins(): + with pytest.raises(ValueError): + ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) + + def test_logical(): assert pixel(ImageMath.eval("not A", images)) == 0 assert pixel(ImageMath.eval("A and B", images)) == "L 2"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor