mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-01-04 16:10:10 +00:00
c74ebbddfd
Upstream-Status: Backport [45c726fd4d&0ca3c33c59&557ba59d13] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
45 lines
1.6 KiB
Diff
45 lines
1.6 KiB
Diff
From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001
|
|
From: Andrew Murray <radarhere@users.noreply.github.com>
|
|
Date: Sat, 30 Dec 2023 09:30:12 +1100
|
|
Subject: [PATCH] Include further builtins
|
|
|
|
Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
|
|
CVE: CVE-2023-50447
|
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
|
---
|
|
Tests/test_imagemath.py | 4 ++++
|
|
src/PIL/ImageMath.py | 2 +-
|
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
|
index 14a58a532..5bba832e2 100644
|
|
--- a/Tests/test_imagemath.py
|
|
+++ b/Tests/test_imagemath.py
|
|
@@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase):
|
|
with pytest.raises(ValueError):
|
|
ImageMath.eval("1", {"__": None})
|
|
|
|
+ def test_prevent_builtins():
|
|
+ with pytest.raises(ValueError):
|
|
+ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
|
|
+
|
|
def test_logical(self):
|
|
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
|
|
self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
|
|
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
|
index 776604e3f..c6bc22180 100644
|
|
--- a/src/PIL/ImageMath.py
|
|
+++ b/src/PIL/ImageMath.py
|
|
@@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw):
|
|
# build execution namespace
|
|
args = ops.copy()
|
|
for k in list(_dict.keys()) + list(kw.keys()):
|
|
- if "__" in k or hasattr(__builtins__, k):
|
|
+ if "__" in k or hasattr(builtins, k):
|
|
msg = f"'{k}' not allowed"
|
|
raise ValueError(msg)
|
|
|
|
--
|
|
2.25.1
|
|
|