Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-22817 Restrict builtins for ImageMath.eval() #5923

Merged
merged 1 commit into from Jan 2, 2022

Conversation

radarhere
Copy link
Member

@radarhere radarhere commented Jan 2, 2022

To limit ImageMath to working with images, Pillow will now restrict the builtins available to ImageMath.eval(). This will help prevent problems arising if users evaluate arbitrary expressions, such as ImageMath.eval("exec(exit())").

hugovk
hugovk approved these changes Jan 2, 2022
@hugovk hugovk added the automerge label Jan 2, 2022
@mergify mergify bot merged commit d7f60d1 into python-pillow:main Jan 2, 2022
49 checks passed
@radarhere radarhere deleted the imagemath_eval branch Jan 2, 2022
@radarhere radarhere mentioned this pull request Jan 2, 2022
@hugovk hugovk mentioned this pull request Jan 7, 2022
@charmander
Copy link

@charmander charmander commented Jan 10, 2022

ImageMath.eval("(lambda: exit())()")

@hugovk hugovk changed the title Restrict builtins for ImageMath.eval() CVE-2022-22817 Restrict builtins for ImageMath.eval() Jan 10, 2022
@radarhere
Copy link
Member Author

@radarhere radarhere commented Feb 2, 2022

I've created #6009 to address the comment from @charmander

@hugovk
Copy link
Member

@hugovk hugovk commented Feb 3, 2022

@charmander Thanks for the note. In the future, when it comes to security-related issues, please could you check and follow the security policy of the project? If there's none available, it's good practice to ask how to disclose.

The Pillow one is here:

https://github.com/python-pillow/Pillow/security/policy

Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automerge
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants