10.3.0 (2024-04-01)¶

Security¶

ImageMath eval()¶

Danger

ImageMath.eval() uses Python’s eval() function to process the expression string, and carries the security risks of doing so. A direct replacement for this is the new unsafe_eval(), but that carries the same risks. It is not recommended to process expressions without considering this. lambda_eval() is a more secure alternative.

CVE-2024-28219: Fix buffer overflow in `_imagingcms.c`¶

In _imagingcms.c, two strcpy calls were able to copy too much data into fixed length strings. This has been fixed by using strncpy instead.

Deprecations¶

ImageCms constants and versions() function¶

A number of constants and a function in ImageCms have been deprecated. This includes a table of flags based on LittleCMS version 1 which has been replaced with a new class ImageCms.Flags based on LittleCMS 2 flags.

Deprecated	Use instead
`ImageCms.DESCRIPTION`	No replacement
`ImageCms.VERSION`	`PIL.__version__`
`ImageCms.FLAGS["MATRIXINPUT"]`	`ImageCms.Flags.CLUT_POST_LINEARIZATION`
`ImageCms.FLAGS["MATRIXOUTPUT"]`	`ImageCms.Flags.FORCE_CLUT`
`ImageCms.FLAGS["MATRIXONLY"]`	No replacement
`ImageCms.FLAGS["NOWHITEONWHITEFIXUP"]`	`ImageCms.Flags.NOWHITEONWHITEFIXUP`
`ImageCms.FLAGS["NOPRELINEARIZATION"]`	`ImageCms.Flags.CLUT_PRE_LINEARIZATION`
`ImageCms.FLAGS["GUESSDEVICECLASS"]`	`ImageCms.Flags.GUESSDEVICECLASS`
`ImageCms.FLAGS["NOTCACHE"]`	`ImageCms.Flags.NOCACHE`
`ImageCms.FLAGS["NOTPRECALC"]`	`ImageCms.Flags.NOOPTIMIZE`
`ImageCms.FLAGS["NULLTRANSFORM"]`	`ImageCms.Flags.NULLTRANSFORM`
`ImageCms.FLAGS["HIGHRESPRECALC"]`	`ImageCms.Flags.HIGHRESPRECALC`
`ImageCms.FLAGS["LOWRESPRECALC"]`	`ImageCms.Flags.LOWRESPRECALC`
`ImageCms.FLAGS["GAMUTCHECK"]`	`ImageCms.Flags.GAMUTCHECK`
`ImageCms.FLAGS["WHITEBLACKCOMPENSATION"]`	`ImageCms.Flags.BLACKPOINTCOMPENSATION`
`ImageCms.FLAGS["BLACKPOINTCOMPENSATION"]`	`ImageCms.Flags.BLACKPOINTCOMPENSATION`
`ImageCms.FLAGS["SOFTPROOFING"]`	`ImageCms.Flags.SOFTPROOFING`
`ImageCms.FLAGS["PRESERVEBLACK"]`	`ImageCms.Flags.NONEGATIVES`
`ImageCms.FLAGS["NODEFAULTRESOURCEDEF"]`	`ImageCms.Flags.NODEFAULTRESOURCEDEF`
`ImageCms.FLAGS["GRIDPOINTS"]`	`ImageCms.Flags.GRIDPOINTS()`
`ImageCms.versions()`	`PIL.features.version_module()` with `feature="littlecms2"`, `sys.version` or `sys.version_info`, and `PIL.__version__`

ImageMath.eval()¶

ImageMath.eval() has been deprecated. Use lambda_eval() or unsafe_eval() instead. See earlier security notes for more information.

API Changes¶

Added alpha_quality argument when saving WebP images¶

When saving WebP images, an alpha_quality argument can be passed to the encoder. It is an integer value between 0 to 100, where values other than 100 will provide lossy compression.

Negative kmeans error¶

When calling quantize(), a negative kmeans will now raise a ValueError, unless a palette is supplied to make the value redundant.

Negative P1-P3 PPM value error¶

If a P1-P3 PPM image contains a negative value, a ValueError will now be raised.

API Additions¶

Added PerspectiveTransform¶

PerspectiveTransform has been added, meaning that all of the Transform values now have a corresponding subclass of Transform.

Other Changes¶

Portable FloatMap (PFM) images¶

Support has been added for reading and writing grayscale (Pf format) Portable FloatMap (PFM) files containing F data.

Release GIL when fetching WebP frames¶

Python’s Global Interpreter Lock is now released when fetching WebP frames from the libwebp decoder.

Type hints¶

Pillow now has type hints for a large part of its modules, and the package includes a py.typed file and the Typing :: Typed Trove classifier.