[Gerrit] ...core[master]: [deps] require Pillow>=8.1.1 due to vulnerability found - Pywikibot-commits

1 Apr 2021

jenkins-bot has submitted this change. ( https://gerrit.wikimedia.org/r/c/pywikibot/core/+/675816 )
Change subject: [deps] require Pillow>=8.1.1 due to vulnerability found
......................................................................
[deps] require Pillow>=8.1.1 due to vulnerability found
Pillow>=8.1.1 does not support Python 3.5. Therefore raise a
RuntimeError if GUI is used with this old Python release.
Bug: T278743
Change-Id: I9fdacfeaf76d7eeff3fb2b9d64a43220097fc31e
---
M pywikibot/userinterfaces/gui.py
M requirements.txt
M setup.py
3 files changed, 13 insertions(+), 8 deletions(-)
Approvals:
  Xqt: Looks good to me, approved
  jenkins-bot: Verified

diff --git a/pywikibot/userinterfaces/gui.py b/pywikibot/userinterfaces/gui.py
index 2fd61e3..0f0b488 100644
--- a/pywikibot/userinterfaces/gui.py
+++ b/pywikibot/userinterfaces/gui.py
@@ -4,7 +4,7 @@
 Useful for editing the contents of an article.
 """
 #
-# (C) Pywikibot team, 2003-2020
+# (C) Pywikibot team, 2003-2021
 #
 # Distributed under the terms of the MIT license.
 #
@@ -560,6 +560,15 @@
def get_image(self, photo, width, height):
         """Take the BytesIO object and build an imageTK thumbnail."""
+        if PYTHON_VERSION < (3, 6):
+            # vulnerability found in Pillow<8.1.1
+            from sys import version
+            raise RuntimeError(
+                'This script requires Python 3.5+ for GUI support.\n'
+                '{version} is not supported. Please update your Python.'
+                .format(version=version.split(maxsplit=1)[0])
+            )
+
         try:
             from PIL import Image, ImageTk
         except ImportError:
diff --git a/requirements.txt b/requirements.txt
index 55d3e9f..a3338c8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -36,9 +36,7 @@
 python-stdnum >= 1.16
# GUI
-Pillow >= 6.2.2, < 8.0.0 ; python_version < '3.6'
-Pillow >= 6.2.2 ; python_version >= '3.6' and python_version < '3.9'
-Pillow >= 8.0.0 ; python_version >= '3.9'
+Pillow >= 8.1.1 ; python_version >= '3.6'
# core pagegenerators
 google >= 1.7
diff --git a/setup.py b/setup.py
index 7847dce..6e60450 100644
--- a/setup.py
+++ b/setup.py
@@ -62,10 +62,8 @@
     'Graphviz': ['pydot>=1.2'],
     'Google': ['google>=1.7'],
     'mwparserfromhell': ['mwparserfromhell>=0.5.0'],
-    'Tkinter': [  # vulnerability found in Pillow<6.2.2
-        'Pillow>=6.2.2,<8.0.0;python_version<"3.6"',
-        'Pillow>=6.2.2;python_version>="3.6" and python_version<"3.9"',
-        'Pillow>=8.0.0;python_version>="3.9"',
+    'Tkinter': [  # vulnerability found in Pillow<8.1.1
+        'Pillow>=8.1.1;python_version>="3.6"',
     ],
     'mwoauth': ['mwoauth!=0.3.1,>=0.2.4'],
     'html': ['BeautifulSoup4'],
-- 
To view, visit https://gerrit.wikimedia.org/r/c/pywikibot/core/+/675816
To unsubscribe, or for help writing mail filters, visit https://gerrit.wikimedia.org/r/settings

Gerrit-Project: pywikibot/core
Gerrit-Branch: master
Gerrit-Change-Id: I9fdacfeaf76d7eeff3fb2b9d64a43220097fc31e
Gerrit-Change-Number: 675816
Gerrit-PatchSet: 3
Gerrit-Owner: Xqt info@gno.de
Gerrit-Reviewer: Dvorapa dvorapa@seznam.cz
Gerrit-Reviewer: Xqt info@gno.de
Gerrit-Reviewer: jenkins-bot
Gerrit-MessageType: merged



    