[Bf-blender-cvs] [45dfb3b] master: Fix for security issue loading blend's
Campbell Barton
noreply at git.blender.org
Mon Jan 19 15:07:02 CET 2015
Commit: 45dfb3b74231dcaffcc8677435488b6eb18132de
Author: Campbell Barton
Date: Tue Jan 20 00:58:32 2015 +1100
Branches: master
https://developer.blender.org/rB45dfb3b74231dcaffcc8677435488b6eb18132de
Fix for security issue loading blend's
Auto-Execute option could be overridden by opening a startup.blend
===================================================================
M source/blender/blenkernel/intern/blender.c
===================================================================
diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c
index 96f7695..be72fe2 100644
--- a/source/blender/blenkernel/intern/blender.c
+++ b/source/blender/blenkernel/intern/blender.c
@@ -271,6 +271,17 @@ static void setup_app_data(bContext *C, BlendFileData *bfd, const char *filepath
BKE_userdef_free();
U = *bfd->user;
+
+ /* Security issue: any blend file could include a USER block.
+ *
+ * Currently we load prefs from BLENDER_STARTUP_FILE and later on load BLENDER_USERPREF_FILE,
+ * to load the preferences defined in the users home dir.
+ *
+ * This means we will never accidentally (or maliciously)
+ * enable scripts auto-execution by loading a '.blend' file.
+ */
+ U.flag |= USER_SCRIPT_AUTOEXEC_DISABLE;
+
MEM_freeN(bfd->user);
}
More information about the Bf-blender-cvs
mailing list