From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 From: Andrew Murray Date: Sat Dec 30 09:30:12 2023 +1100 Subject: [PATCH] python3-pillow: Include further builtins CVE: CVE-2023-50447 Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348] Signed-off-by: Rahul Janani Pandi --- Tests/test_imagemath.py | 5 +++++ docs/releasenotes/9.4.0.rst | 8 ++++++++ src/PIL/ImageMath.py | 2 +- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py index ded8c0011..124687478 100644 --- a/Tests/test_imagemath.py +++ b/Tests/test_imagemath.py @@ -67,6 +67,11 @@ def test_prevent_double_underscores(): with pytest.raises(ValueError): ImageMath.eval("1", {"__": None}) +def test_prevent_builtins(): + with pytest.raises(ValueError): + ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) + + def test_logical(): assert pixel(ImageMath.eval("not A", images)) == 0 diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst index 0af5bc8ca..9ca7c9f6f 100644 --- a/docs/releasenotes/9.4.0.rst +++ b/docs/releasenotes/9.4.0.rst @@ -88,6 +88,14 @@ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a crash. An error is now raised instead. This has been present since Pillow 8.0.0. +Restricted environment keys for ImageMath.eval +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +:cve:`2023-50447`: If an attacker has control over the keys passed to the +``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute +arbitrary code. To prevent this, keys matching the names of builtins and keys +containing double underscores will now raise a :py:exc:`ValueError`. + Other Changes ============= diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py index c14598a4c..b2c50bc5b 100644 --- a/src/PIL/ImageMath.py +++ b/src/PIL/ImageMath.py @@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw): # build execution namespace args = ops.copy() for k in list(_dict.keys()) + list(kw.keys()): - if "__" in k or hasattr(__builtins__, k): + if "__" in k or hasattr(builtins, k): msg = f"'{k}' not allowed" raise ValueError(msg) -- 2.40.0