File CVE-2023-50447-environment-keys-filtering.patch of Package python-Pillow.33217
From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Fri, 27 Oct 2023 11:21:18 +0200
Subject: [PATCH 1/3] Don't allow __ or builtins in env dictionarys for
ImageMath.eval
---
src/PIL/ImageMath.py | 4 ++++
1 file changed, 4 insertions(+)
Index: Pillow-7.2.0/src/PIL/ImageMath.py
===================================================================
--- Pillow-7.2.0.orig/src/PIL/ImageMath.py
+++ Pillow-7.2.0/src/PIL/ImageMath.py
@@ -240,6 +240,11 @@ def eval(expression, _dict={}, **kw):
# build execution namespace
args = ops.copy()
+ for k in list(_dict.keys()) + list(kw.keys()):
+ if "__" in k or hasattr(builtins, k):
+ msg = "'{%s}' not allowed" % k
+ raise ValueError(msg)
+
args.update(_dict)
args.update(kw)
for k, v in list(args.items()):
Index: Pillow-7.2.0/Tests/test_imagemath.py
===================================================================
--- Pillow-7.2.0.orig/Tests/test_imagemath.py
+++ Pillow-7.2.0/Tests/test_imagemath.py
@@ -1,3 +1,5 @@
+import pytest
+
from PIL import Image, ImageMath
@@ -50,6 +52,16 @@ def test_ops():
assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
+def test_prevent_double_underscores():
+ with pytest.raises(ValueError):
+ ImageMath.eval("1", {"__": None})
+
+
+def test_prevent_builtins():
+ with pytest.raises(ValueError):
+ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
+
+
def test_logical():
assert pixel(ImageMath.eval("not A", images)) == 0
assert pixel(ImageMath.eval("A and B", images)) == "L 2"