Include further builtins

radarhere · Oct 28, 2023 · 2cb659b · 2cb659b
1 parent 74f107d
commit 2cb659b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
@@ -68,6 +68,11 @@ def test_prevent_double_underscores():
         ImageMath.eval("1", {"__": None})
 
 
+def test_prevent_builtins():
+    with pytest.raises(ValueError):
+        ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
+
+
 def test_logical():
     assert pixel(ImageMath.eval("not A", images)) == 0
     assert pixel(ImageMath.eval("A and B", images)) == "L 2"

diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
@@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw):
     # build execution namespace
     args = ops.copy()
     for k in list(_dict.keys()) + list(kw.keys()):
-        if "__" in k or hasattr(__builtins__, k):
+        if "__" in k or hasattr(builtins, k):
             msg = f"'{k}' not allowed"
             raise ValueError(msg)