File 032-CVE-2023-50447.patch of Package python-Pillow

From 7b8d4a73c03fc799440a3cb3c44601ef4a834e23 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Fri, 27 Oct 2023 11:21:18 +0200
Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
 ImageMath.eval

(cherry picked from commit 45c726fd4daa63236a8f3653530f297dc87b160a)

Allow ops

(cherry picked from commit 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80)

Include further builtins

(cherry picked from commit 557ba59d13de919d04b3fd4cdef8634f7d4b3348)
---
 Tests/test_imagemath.py | 7 +++++++
 src/PIL/ImageMath.py    | 7 ++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index 7496ec3c4..7f786058d 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -64,6 +64,13 @@ class TestImageMath(PillowTestCase):
         with pytest.raises(ValueError):
             ImageMath.eval("exit")
 
+    def test_prevent_double_underscores(self):
+        with pytest.raises(ValueError):
+            ImageMath.eval("1", {"__": None})
+
+    def test_prevent_builtins(self):
+        with pytest.raises(ValueError):
+            ImageMath.eval("(lambda: eval('exit()'))()", {"eval": None})
 
     def test_logical(self):
         self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index e5c7701ab..8fa083d09 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -258,9 +258,14 @@ def eval(expression, _dict={}, **kw):
 
     # build execution namespace
     args = ops.copy()
+    for k in list(_dict.keys()) + list(kw.keys()):
+        if "__" in k or hasattr(builtins, k):
+            msg = "'{}' not allowed".format(k)
+            raise ValueError(msg)
+
     args.update(_dict)
     args.update(kw)
-    for k, v in list(args.items()):
+    for k, v in args.items():
         if hasattr(v, "im"):
             args[k] = _Operand(v)
 
-- 
2.34.1

openSUSE Build Service is sponsored by