Update docs/handbook/security.rst

aclark4life · Copilot · web-flow · commit 49ce66291d66 · 2026-04-14T20:08:46.000-04:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/docs/handbook/security.rst b/docs/handbook/security.rst
@@ -189,13 +189,12 @@ Opening an EPS file invokes the system Ghostscript binary (``gs``) via
 ``subprocess``. Ghostscript has a long history of sandbox-escape CVEs
 permitting arbitrary code execution from malicious PostScript.
 
-*Mitigations:* **block EPS files** at the application input layer; if EPS must
-be supported, run Ghostscript in a fully isolated sandbox with no network and
-no sensitive mounts; unregister the plugin if unused::
-
-    from PIL import Image, EpsImagePlugin
-    Image.OPEN.pop("EPS", None)
-
+*Mitigations:* **block EPS files** at the application input layer before
+passing files to Pillow; if EPS must be supported, run Ghostscript in a fully
+isolated sandbox with no network and no sensitive mounts. Pillow does not
+provide a stable public API for unregistering individual format plugins, so do
+not rely on mutating internal registries such as ``Image.OPEN`` as a security
+control.
 **E-3 — ``ImageMath.unsafe_eval()`` code injection**
 
 :py:meth:`~PIL.ImageMath.unsafe_eval` calls Python's built-in ``eval()`` with
