Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.6:Update
python-Pillow
CVE-2023-50447-environment-keys-filtering.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-50447-environment-keys-filtering.patch of Package python-Pillow
From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001 From: Eric Soroos <eric-github@soroos.net> Date: Fri, 27 Oct 2023 11:21:18 +0200 Subject: [PATCH 1/3] Don't allow __ or builtins in env dictionarys for ImageMath.eval --- src/PIL/ImageMath.py | 4 ++++ 1 file changed, 4 insertions(+) Index: Pillow-9.5.0/src/PIL/ImageMath.py =================================================================== --- Pillow-9.5.0.orig/src/PIL/ImageMath.py +++ Pillow-9.5.0/src/PIL/ImageMath.py @@ -237,6 +237,11 @@ def eval(expression, _dict={}, **kw): # build execution namespace args = ops.copy() + for k in list(_dict.keys()) + list(kw.keys()): + if "__" in k or hasattr(builtins, k): + msg = "'{%s}' not allowed" % k + raise ValueError(msg) + args.update(_dict) args.update(kw) for k, v in list(args.items()): Index: Pillow-9.5.0/Tests/test_imagemath.py =================================================================== --- Pillow-9.5.0.orig/Tests/test_imagemath.py +++ Pillow-9.5.0/Tests/test_imagemath.py @@ -63,6 +63,16 @@ def test_prevent_exec(expression): ImageMath.eval(expression) +def test_prevent_double_underscores(): + with pytest.raises(ValueError): + ImageMath.eval("1", {"__": None}) + + +def test_prevent_builtins(): + with pytest.raises(ValueError): + ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) + + def test_logical(): assert pixel(ImageMath.eval("not A", images)) == 0 assert pixel(ImageMath.eval("A and B", images)) == "L 2"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor