Thanks to visit codestin.com
Credit goes to github.com

Skip to content

CVE-2023-50447: Restricted env keys for ImageMath.eval()#38

Merged
icanhasmath merged 5 commits into
9.5.xfrom
cve-2023-50447
Apr 21, 2026
Merged

CVE-2023-50447: Restricted env keys for ImageMath.eval()#38
icanhasmath merged 5 commits into
9.5.xfrom
cve-2023-50447

Conversation

@icanhasmath

Copy link
Copy Markdown

Backports upstream fix for CVE-2023-50447 (arbitrary code execution via builtins/dunder keys in ImageMath.eval env).

Source

Changes

  • ImageMath.eval now raises ValueError when a user-supplied env key contains __ or matches a name on the builtins module.
  • Validation runs only over _dict and kw keys (not ops).
  • New tests test_prevent_double_underscores and test_prevent_builtins in Tests/test_imagemath.py.
  • Release notes added to new docs/releasenotes/9.5.0.1.rst (upstream's 10.2.0.rst update was dropped — not applicable to 9.5.x).

Test plan

  • pytest Tests/test_imagemath.py

@martinPavesio martinPavesio left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@icanhasmath icanhasmath merged commit c75335a into 9.5.x Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants