[Bf-blender-cvs] [dd1be8c] blender-v2.73-release: Fix for security issue loading blend's
Campbell Barton
noreply at git.blender.org
Tue Jan 20 10:23:41 CET 2015
Commit: dd1be8ccc5bb87ca2fee668e5873bdac284993b8
Author: Campbell Barton
Date: Tue Jan 20 00:58:32 2015 +1100
Branches: blender-v2.73-release
https://developer.blender.org/rBdd1be8ccc5bb87ca2fee668e5873bdac284993b8
Fix for security issue loading blend's
Auto-Execute option could be overridden by opening a startup.blend
===================================================================
M source/blender/blenkernel/intern/blender.c
===================================================================
diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c
index 96f7695..be72fe2 100644
--- a/source/blender/blenkernel/intern/blender.c
+++ b/source/blender/blenkernel/intern/blender.c
@@ -271,6 +271,17 @@ static void setup_app_data(bContext *C, BlendFileData *bfd, const char *filepath
BKE_userdef_free();
U = *bfd->user;
+
+ /* Security issue: any blend file could include a USER block.
+ *
+ * Currently we load prefs from BLENDER_STARTUP_FILE and later on load BLENDER_USERPREF_FILE,
+ * to load the preferences defined in the users home dir.
+ *
+ * This means we will never accidentally (or maliciously)
+ * enable scripts auto-execution by loading a '.blend' file.
+ */
+ U.flag |= USER_SCRIPT_AUTOEXEC_DISABLE;
+
MEM_freeN(bfd->user);
}
More information about the Bf-blender-cvs
mailing list