Provide a documented way to turn off EPS handling via Ghostscript

[raphaelm]

Pillow parses EPS files through ghostscript.

Ghostscript is troubled with regular security issues of critical impact, such as remote code execution. There has been this one, two CVEs this year already, and there is another one just coming up with the patch not yet included in any release.

We do not need EPS handling and we can turn it off in our code using Image.open(…, formats=["JPG", "PNG", …]). However, we use third-party components that also use Pillow (such as reportlab) and we'd like to make sure they also don't accidentally open EPS files and we can't modify the code.

From what I can tell, we can accomplish this with:

from PIL import Image

if "EPS" in Image.ID:
    Image.ID.remove("EPS")

However, that seems to be undocumented and feels like unclean monkeypatching. I think it would be worth it providing a documented API to turn off third-party backends like ghostscript globally.

[radarhere]

Hi. See what you think of #7392. It adds EpsImagePlugin.gs_binary, so that setting EpsImagePlugin.gs_binary = False would result in OSError: Unable to locate Ghostscript on paths when trying to load an EPS image.

[raphaelm]

Wow, that was fast! Not sure if I read the code exactly, but wouldn't this trigger OSError from line 72 whenever I set it to False and import the module?

[radarhere]

No, the Ghostscript function is only called when an image is loaded.

Pillow/src/PIL/EpsImagePlugin.py

Lines 383 to 386 in a84a435

	def load(self, scale=1, transparency=False):
	# Load EPS via Ghostscript
	if self.tile:
	self.im = Ghostscript(self.tile, self.size, self.fp, scale, transparency)

With the workaround that you posted above, an EPS file won't be identified. In my suggestion, it will be identified. Image.open will complete successfully. It will just raise an OSError once load() is called on it (which many Pillow operations call internally).

[raphaelm]

Ah sorry, I've mistaken Ghostscript to be a class. My bad! Yes, sounds good then. (A note in the docs about it would be great to make it "official" so I can somehow expect it to continue to work in future versions.)

[radarhere]

Sure. I've added a commit to the PR. You can see the preview at https://pillow--7392.org.readthedocs.build/en/7392/handbook/image-file-formats.html#eps

To use Ghostscript, Pillow searches for the “gs” executable. On Windows, it also searches for “gswin32c” and “gswin64c”. If you would like to customise this behaviour, EpsImagePlugin.gs_binary = "gswin64" will set the name of the executable to use. EpsImagePlugin.gs_binary = False will prevent Ghostscript from being used altogether.

[raphaelm]

Thank you <3