diff options
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch')
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch new file mode 100644 index 0000000000..9c5d3fbcdc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Andrew Murray <radarhere@users.noreply.github.com> | ||
| 3 | Date: Sat, 28 Oct 2023 15:58:52 +1100 | ||
| 4 | Subject: [PATCH] Allow ops | ||
| 5 | |||
| 6 | Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80] | ||
| 7 | CVE: CVE-2023-50447 | ||
| 8 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 9 | --- | ||
| 10 | Tests/test_imagemath.py | 4 ++++ | ||
| 11 | src/PIL/ImageMath.py | 9 +++++---- | ||
| 12 | 2 files changed, 9 insertions(+), 4 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py | ||
| 15 | index da41b3a12..14a58a532 100644 | ||
| 16 | --- a/Tests/test_imagemath.py | ||
| 17 | +++ b/Tests/test_imagemath.py | ||
| 18 | @@ -56,6 +56,10 @@ class TestImageMath(PillowTestCase): | ||
| 19 | pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0" | ||
| 20 | ) | ||
| 21 | |||
| 22 | + def test_prevent_double_underscores(): | ||
| 23 | + with pytest.raises(ValueError): | ||
| 24 | + ImageMath.eval("1", {"__": None}) | ||
| 25 | + | ||
| 26 | def test_logical(self): | ||
| 27 | self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) | ||
| 28 | self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") | ||
| 29 | diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py | ||
| 30 | index 4cea3855e..776604e3f 100644 | ||
| 31 | --- a/src/PIL/ImageMath.py | ||
| 32 | +++ b/src/PIL/ImageMath.py | ||
| 33 | @@ -258,13 +258,14 @@ def eval(expression, _dict={}, **kw): | ||
| 34 | |||
| 35 | # build execution namespace | ||
| 36 | args = ops.copy() | ||
| 37 | - args.update(_dict) | ||
| 38 | - args.update(kw) | ||
| 39 | - for k, v in list(args.items()): | ||
| 40 | - if '__' in k or hasattr(__builtins__, k): | ||
| 41 | + for k in list(_dict.keys()) + list(kw.keys()): | ||
| 42 | + if "__" in k or hasattr(__builtins__, k): | ||
| 43 | msg = f"'{k}' not allowed" | ||
| 44 | raise ValueError(msg) | ||
| 45 | |||
| 46 | + args.update(_dict) | ||
| 47 | + args.update(kw) | ||
| 48 | + for k, v in list(args.items()): | ||
| 49 | if hasattr(v, "im"): | ||
| 50 | args[k] = _Operand(v) | ||
| 51 | |||
| 52 | -- | ||
| 53 | 2.25.1 | ||
| 54 | |||