Security - Eval Injection
dpramani opened this issue · comments
dpramani commented
Hi
I am using the 7.7.1th version of minimalcompact/thumbor in one of my apps.
Current version of pillow seems to be vulnerable to Eval Injection.
Are there releases that handles this ?
Thanks
Pablo Aguiar commented
Thumbor makes no use of ImageMath.eval
. Therefore, it's not affected by such vulnerability. Thanks for reporting, @dpramani
Marcelo Jorge Vieira commented
https://github.com/thumbor/thumbor/blob/master/setup.py#L154
# TODO: Pillow version 10.1.0 is raising a PIL.Image.DecompressionBombError on tests
"Pillow==10.*,<10.1.0",