Merge pull request #518 from MLB-LED-Scoreboard/pillow-upgrade

Remove Pillow patch, require Pillow > 10.0.1
MLB-LED-Scoreboard · Feb 27, 2024 · 1cc1365 · 1cc1365
2 parents 8e34de6 + 9cfacb2
commit 1cc1365
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 42 deletions.
diff --git a/.github/workflows/run_unittest_on_pr_open.yml b/.github/workflows/run_unittest_on_pr_open.yml
@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
+        python-version: ["3.8", "3.9", "3.10", "3.11"]
     steps:
       - uses: actions/checkout@v3
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

diff --git a/README.md b/README.md
@@ -1,7 +1,8 @@
 # mlb-led-scoreboard
 
-![Current Version](https://img.shields.io/github/v/release/MLB-LED-Scoreboard/MLB-LED-Scoreboard) [![Join Discord](https://img.shields.io/badge/discord-join-blue.svg)](https://discord.gg/FdD6ec9fdt)
+![Current Version](https://img.shields.io/github/v/release/MLB-LED-Scoreboard/MLB-LED-Scoreboard) ![](https://img.shields.io/badge/python-3.8_%7C_3.9_%7C_3.10_%7C_3.11-blue)
 
+[![Join Discord](https://img.shields.io/badge/discord-join-green.svg)](https://discord.gg/FdD6ec9fdt)
 
 <a href="assets/img/header.jpg">
   <img alt="Project header" width="800px" height="auto" src="assets/img/header.jpg">

diff --git a/main.py b/main.py
@@ -21,21 +21,7 @@
 import threading
 import time
 
-# TODO: This code addresses CVE-2023-4863 in Pillow < 10.0.1, which requires Python 3.8+
-#   See requirements.txt for rationale.
-try:
-    from PIL import Image
-
-    pil_version = tuple(map(int, Image.__version__.split(".")))
-    if pil_version < (10, 0, 1):
-        debug.warning(f"Attempted to load an insecure PIL version ({Image.__version__}). We require PIL 10.0.1 or higher.")
-
-        raise ModuleNotFoundError
-
-    PIL_LOADED = True
-except:
-    debug.warning("PIL failed to load -- images will not be displayed.")
-    PIL_LOADED = False
+from PIL import Image
 
 # Important! Import the driver first to initialize it, then import submodules as needed.
 import driver
@@ -74,7 +60,7 @@ def main(matrix, config_base):
 
     # MLB image disabled when using renderer, for now.
     # see: https://github.com/ty-porter/RGBMatrixEmulator/issues/9#issuecomment-922869679
-    if os.path.exists(logo_path) and driver.is_hardware() and PIL_LOADED:
+    if os.path.exists(logo_path) and driver.is_hardware():
         logo = Image.open(logo_path)
         matrix.SetImage(logo.convert("RGB"))
         logo.close()

diff --git a/renderers/offday.py b/renderers/offday.py
@@ -2,13 +2,7 @@
 
 import time
 
-try:
-    from PIL import Image
-
-    PIL_LOADED = True
-except:
-
-    PIL_LOADED = False
+from PIL import Image
 
 from data.time_formats import TIME_FORMAT_12H
 from data.config.color import Color
@@ -44,10 +38,9 @@ def __render_clock(canvas, layout, colors, time_format):
 
 def __render_weather(canvas, layout, colors, weather):
     if weather.available():
-        if PIL_LOADED:
-            image_file = weather.icon_filename()
-            weather_icon = Image.open(image_file)
-            __render_weather_icon(canvas, layout, colors, weather_icon)
+        image_file = weather.icon_filename()
+        weather_icon = Image.open(image_file)
+        __render_weather_icon(canvas, layout, colors, weather_icon)
         __render_weather_text(canvas, layout, colors, weather.conditions, "conditions")
         __render_weather_text(canvas, layout, colors, weather.temperature_string(), "temperature")
         __render_weather_text(canvas, layout, colors, weather.wind_speed_string(), "wind_speed")

diff --git a/requirements.txt b/requirements.txt
@@ -1,17 +1,6 @@
 feedparser==6.0.10
 MLB_StatsAPI>=1.6.1
-# PIL is affected by CVE-2023-4863
-#   https://nvd.nist.gov/vuln/detail/CVE-2023-4863
-# 
-# The vulnerability is patched in Pillow >= 10.0.1. This version does not support Python 3.7 due to this version being end-of-life.
-# Python 3.7.3 is the default Python version for Raspbian / Raspberry Pi OS, and upgrading Python versions is difficult for non-technical users.
-#
-# Therefore, addressing the CVE at this time would be a breaking change for most users without an easy upgrade path to Python 3.8+.
-# 
-# Dependabot PR:
-#   https://github.com/MLB-LED-Scoreboard/mlb-led-scoreboard/pull/502
-#
-# Pillow==9.3.1
+Pillow>=10.0.1
 pyowm==3.3.0
 RGBMatrixEmulator>=0.8.4
 tzlocal==4.2