Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-22817 Restrict builtins for ImageMath.eval() #5923

Merged
merged 1 commit into from
Jan 2, 2022

Conversation

radarhere
Copy link
Member

To limit ImageMath to working with images, Pillow will now restrict the builtins available to ImageMath.eval(). This will help prevent problems arising if users evaluate arbitrary expressions, such as ImageMath.eval("exec(exit())").

@hugovk hugovk added the automerge Automatically merge PRs that are ready label Jan 2, 2022
@mergify mergify bot merged commit d7f60d1 into python-pillow:main Jan 2, 2022
@radarhere radarhere deleted the imagemath_eval branch January 2, 2022 07:05
@radarhere radarhere mentioned this pull request Jan 2, 2022
@hugovk hugovk mentioned this pull request Jan 7, 2022
@charmander
Copy link

ImageMath.eval("(lambda: exit())()")

@hugovk hugovk changed the title Restrict builtins for ImageMath.eval() CVE-2022-22817 Restrict builtins for ImageMath.eval() Jan 10, 2022
@radarhere
Copy link
Member Author

I've created #6009 to address the comment from @charmander

@hugovk
Copy link
Member

hugovk commented Feb 3, 2022

@charmander Thanks for the note. In the future, when it comes to security-related issues, please could you check and follow the security policy of the project? If there's none available, it's good practice to ask how to disclose.

The Pillow one is here:

https://github.com/python-pillow/Pillow/security/policy

Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automerge Automatically merge PRs that are ready
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants