Forbid Lambda expressions in ImageMath.eval()#5963
Forbid Lambda expressions in ImageMath.eval()#5963feliperalmeida wants to merge 1 commit intopython-pillow:mainfrom
Conversation
|
Hi. I've just merged #6009 instead of this. |
|
@feliperalmeida And thanks for the PR! In the future, when it comes to security-related issues, please could you check and follow the security policy of the project? If there's none available, it's good practice to ask how to disclose. The Pillow one is here: https://github.com/python-pillow/Pillow/security/policy Thanks again! |
|
@hugovk Sure, no problem. The only reason I opened the PR instead of communicating privately was because it was already made "public" in this comment. So I thought raising a PR would help to expedite the fix. Thanks. |
3 participants
Description
This is an additional fix for CVE-2022-22817 (addressed in #5923). As commented in the original PR, it's still possible to execute arbitrary code via lambda expressions - e.g.:
ImageMath.eval("(lambda: exit())()").Original Fix
The original fix checks all
co_namesin the compiledexpressionpassed toImageMath.eval()against builtins names. However, lambda expressions generates anonymous functions and they're not listed in theco_namesstructure.Changes in this PR
This PR forbids Lambda expressions being passed to
ImageMath.eval()by verifying all functions names in the literals section of the bytecode (co_consts).Trade-offs
Lambda expressions will no longer be supported in
ImageMath.eval(). If such support is desired, all code objects insideco_constscan be verified in the same way as the original fix does (iterating throughco_namesand verifying against builtins names). Please let me know in the comments I can rewrite this fix.