Don't allow __ or builtins in env dictionarys for ImageMath.eval

python-pillow · Dec 29, 2023 · 45c726f · 45c726f
1 parent c3af264
commit 45c726f
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
@@ -237,6 +237,10 @@ def eval(expression, _dict={}, **kw):
     args.update(_dict)
     args.update(kw)
     for k, v in args.items():
+        if '__' in k or hasattr(__builtins__, k):
+            msg = f"'{k}' not allowed"
+            raise ValueError(msg)
+
         if hasattr(v, "im"):
             args[k] = _Operand(v)