Hi, I tried the patch but it sets overrides by default which make it impossible to enable via the userprefs. I found it shows python auto execution enabled in the user prefs when its actually disabled in blender.
For example, if autoexec is enabled in the user prefs opening a file from Ctrl+O menu will still disable script execution, but from the open file selector it will be enabled. Rather then apply patches like this, I added an advanced build option in CMake: WITH_PYTHON_SECURITY, r36363. This build option is off by default and marked as advanced - but if you want this as default behavior you can enable it. This makes python execution off by default on load and disabled when loading factory settings. Other then having the option opt-in the user preference works as before, and enabling it, then saving the user-defaults works as expected for users that want to keep this on. On Wed, Apr 27, 2011 at 5:08 PM, Jochen Schmitt <[email protected]> wrote: > Hallo, > > I was notified, that the security issue CVE-2009-3850 still exisi in > blender-2.57. > > On bug #364291 on gut.gentoo.org the above patch was provided, which I want > to forward to you. > > Best Regards: > > Jochen Schmitt > > > > > @@ -, +, @@ > --enable-autoexec|-y|-666 (CVE-2009-3850) > source/blender/blenkernel/intern/blender.c | 3 ++- > source/blender/makesrna/intern/rna_userdef.c | 9 ++++++--- > source/blender/windowmanager/intern/wm_files.c | 3 ++- > source/creator/creator.c | 10 ++++++---- > 4 files changed, 16 insertions(+), 9 deletions(-) > --- a/source/blender/blenkernel/intern/blender.c > +++ a/source/blender/blenkernel/intern/blender.c > @@ -141,7 +141,8 @@ void initglobals(void) > G.charmin = 0x0000; > G.charmax = 0xffff; > > - G.f |= G_SCRIPT_AUTOEXEC; > + G.f &= ~G_SCRIPT_AUTOEXEC; > + G.f |= G_SCRIPT_OVERRIDE_PREF; /* Disables turning > G_SCRIPT_AUTOEXEC on from user prefs */ > } > > /***/ > --- a/source/blender/makesrna/intern/rna_userdef.c > +++ a/source/blender/makesrna/intern/rna_userdef.c > @@ -99,9 +99,12 @@ static void rna_userdef_show_manipulator_update(Main > *bmain, Scene *scene, Point > > static void rna_userdef_script_autoexec_update(Main *bmain, Scene > *scene, PointerRNA *ptr) > { > - UserDef *userdef = (UserDef*)ptr->data; > - if (userdef->flag & USER_SCRIPT_AUTOEXEC_DISABLE) G.f &= > ~G_SCRIPT_AUTOEXEC; > - else G.f |= > G_SCRIPT_AUTOEXEC; > + if ((G.f & G_SCRIPT_OVERRIDE_PREF) == 0) { > + /* Blender run with --enable-autoexec */ > + UserDef *userdef = (UserDef*)ptr->data; > + if (userdef->flag & USER_SCRIPT_AUTOEXEC_DISABLE) G.f &= > ~G_SCRIPT_AUTOEXEC; > + else G.f |= > G_SCRIPT_AUTOEXEC; > + } > } > > static void rna_userdef_mipmap_update(Main *bmain, Scene *scene, > PointerRNA *ptr) > --- a/source/blender/windowmanager/intern/wm_files.c > +++ a/source/blender/windowmanager/intern/wm_files.c > @@ -270,7 +270,8 @@ static void wm_init_userdef(bContext *C) > > /* set the python auto-execute setting from user prefs */ > /* enabled by default, unless explicitly enabled in the command > line which overrides */ > - if((G.f & G_SCRIPT_OVERRIDE_PREF) == 0) { > + if (! G.background && ((G.f & G_SCRIPT_OVERRIDE_PREF) == 0)) { > + /* Blender run with --enable-autoexec */ > if ((U.flag & USER_SCRIPT_AUTOEXEC_DISABLE) == 0) G.f |= > G_SCRIPT_AUTOEXEC; > else G.f &= > ~G_SCRIPT_AUTOEXEC; > } > --- a/source/creator/creator.c > +++ a/source/creator/creator.c > @@ -278,6 +278,7 @@ static int print_help(int UNUSED(argc), const char > **UNUSED(argv), void *data) > > printf("\n"); > > + BLI_argsPrintArgDoc(ba, "-666"); > BLI_argsPrintArgDoc(ba, "--enable-autoexec"); > BLI_argsPrintArgDoc(ba, "--disable-autoexec"); > > @@ -359,14 +360,14 @@ static int end_arguments(int UNUSED(argc), const > char **UNUSED(argv), void *UNUS > static int enable_python(int UNUSED(argc), const char **UNUSED(argv), > void *UNUSED(data)) > { > G.f |= G_SCRIPT_AUTOEXEC; > - G.f |= G_SCRIPT_OVERRIDE_PREF; > + G.f &= ~G_SCRIPT_OVERRIDE_PREF; /* Enables turning > G_SCRIPT_AUTOEXEC off from user prefs */ > return 0; > } > > static int disable_python(int UNUSED(argc), const char **UNUSED(argv), > void *UNUSED(data)) > { > G.f &= ~G_SCRIPT_AUTOEXEC; > - G.f |= G_SCRIPT_OVERRIDE_PREF; > + G.f |= G_SCRIPT_OVERRIDE_PREF; /* Disables turning > G_SCRIPT_AUTOEXEC on from user prefs */ > return 0; > } > > @@ -1075,8 +1076,9 @@ static void setupArguments(bContext *C, bArgs *ba, > SYS_SystemHandle *syshandle) > > BLI_argsAdd(ba, 1, "-v", "--version", "\n\tPrint Blender version > and exit", print_version, NULL); > > - BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic > python script execution (default)", enable_python, NULL); > - BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable > automatic python script execution (pydrivers, pyconstraints, pynodes)", > disable_python, NULL); > + BLI_argsAdd(ba, 1, NULL, "-666", "\n\tEnable automatic python > script execution (port from CVE-2009-3850 patch to Blender 2.49b)", > enable_python, NULL); > + BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic > python script execution", enable_python, NULL); > + BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable > automatic python script execution (pydrivers, pyconstraints, pynodes) > (default)", disable_python, NULL); > > BLI_argsAdd(ba, 1, "-b", "--background", "<file>\n\tLoad <file> in > background (often used for UI-less rendering)", background_mode, NULL); > > > _______________________________________________ > Bf-committers mailing list > [email protected] > http://lists.blender.org/mailman/listinfo/bf-committers > -- - Campbell _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers
