1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
From f3a8d00d03cc8bdf1739936998a784c9e4e64bb9 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 24 Apr 2011 00:00:36 +0200
Subject: [PATCH] Disable execution of embedded Python code unless run with
-666 (CVE-2009-3850)
---
source/blender/blenkernel/intern/blender.c | 11 ++++++++++-
source/blender/python/api2_2x/sceneRender.c | 3 ++-
source/blender/src/buttons_script.c | 4 +++-
source/creator/creator.c | 18 ++++++++++++++----
4 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c
index bf208c8..029b7cf 100644
--- a/source/blender/blenkernel/intern/blender.c
+++ b/source/blender/blenkernel/intern/blender.c
@@ -388,7 +388,16 @@ static void setup_app_data(BlendFileData *bfd, char *filename)
if (G.f & G_DEBUG) bfd->globalf |= G_DEBUG;
else bfd->globalf &= ~G_DEBUG;
- if ((U.flag & USER_DONT_DOSCRIPTLINKS)) bfd->globalf &= ~G_DOSCRIPTLINKS;
+ if (G.f & G_DOSCRIPTLINKS) {
+ /* Blender running in -666 mode */
+ /* NOTE: In background mode U.flag has not been initialized from ~/.B.blend */
+ if (! G.background && (U.flag & USER_DONT_DOSCRIPTLINKS))
+ /* Prefer disabled "Auto Run Python Scripts" over -666 */
+ bfd->globalf &= ~G_DOSCRIPTLINKS;
+ } else {
+ /* Blender NOT running in -666 mode, deny pulling G_DOSCRIPTLINKS in */
+ bfd->globalf &= ~G_DOSCRIPTLINKS;
+ }
G.f= bfd->globalf;
diff --git a/source/blender/python/api2_2x/sceneRender.c b/source/blender/python/api2_2x/sceneRender.c
index 1bf2b75..e34a361 100644
--- a/source/blender/python/api2_2x/sceneRender.c
+++ b/source/blender/python/api2_2x/sceneRender.c
@@ -498,7 +498,8 @@ static PyObject *RenderData_Render( BPy_RenderData * self )
RE_BlenderFrame(re, G.scene, G.scene->r.cfra);
- BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
+ if (G.f & G_DOSCRIPTLINKS)
+ BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
set_scene_bg( oldsce );
}
diff --git a/source/blender/src/buttons_script.c b/source/blender/src/buttons_script.c
index 647fc66..6166133 100644
--- a/source/blender/src/buttons_script.c
+++ b/source/blender/src/buttons_script.c
@@ -107,6 +107,8 @@
#include "blendef.h"
#include "butspace.h"
+extern int button_enable_script_links_enabled;
+
/* ************************ function prototypes ********************** */
void draw_scriptlink(uiBlock *, ScriptLink *, int , int , int ) ;
@@ -323,7 +325,7 @@ static void script_panel_scriptlink(void)
block= uiNewBlock(&curarea->uiblocks, "script_panel_scriptlink", UI_EMBOSS, UI_HELV, curarea->win);
if(uiNewPanel(curarea, block, "Scriptlinks", "Script", 0, 0, 318, 204)==0) return;
- uiDefButBitI(block, TOG, G_DOSCRIPTLINKS, REDRAWBUTSSCRIPT,
+ uiDefButBitI(block, button_enable_script_links_enabled ? TOG : BUT, G_DOSCRIPTLINKS, REDRAWBUTSSCRIPT,
"Enable Script Links", xco, 200, 150, 20, &G.f, 0, 0, 0, 0,
"Enable execution of all assigned Script links and Space Handelers");
/* for proper alignment: */
diff --git a/source/creator/creator.c b/source/creator/creator.c
index a562fc3..ccea569 100644
--- a/source/creator/creator.c
+++ b/source/creator/creator.c
@@ -108,6 +108,8 @@
#include "binreloc.h"
#endif
+int button_enable_script_links_enabled = 0;
+
// from buildinfo.c
#ifdef BUILD_DATE
extern char * build_date;
@@ -232,7 +234,8 @@ static void print_help(void)
printf (" -nojoystick\tDisable joystick support\n");
printf (" -noglsl\tDisable GLSL shading\n");
printf (" -h\t\tPrint this help text\n");
- printf (" -y\t\tDisable automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes)\n");
+ printf (" -666\t\tEnables automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes)\n");
+ printf (" -y\t\tDisable automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes) (default)\n");
printf (" -P <filename>\tRun the given Python script (filename or Blender Text)\n");
#ifdef WIN32
printf (" -R\t\tRegister .blend extension\n");
@@ -366,7 +369,7 @@ int main(int argc, char **argv)
/* first test for background */
- G.f |= G_DOSCRIPTLINKS; /* script links enabled by default */
+ G.f &= ~G_DOSCRIPTLINKS; /* script links disabled by default */
for(a=1; a<argc; a++) {
@@ -388,6 +391,11 @@ int main(int argc, char **argv)
exit(0);
}
+ if (!strcmp(argv[a], "-666")){
+ G.f |= G_DOSCRIPTLINKS;
+ button_enable_script_links_enabled = 1;
+ }
+
/* Handle -* switches */
else if(argv[a][0] == '-') {
switch(argv[a][1]) {
@@ -405,8 +413,9 @@ int main(int argc, char **argv)
a= argc;
break;
- case 'y':
+ case 'y': /* NOTE: -y works the exact opposite way in version 2.57! */
G.f &= ~G_DOSCRIPTLINKS;
+ button_enable_script_links_enabled = 0;
break;
case 'Y':
@@ -680,7 +689,8 @@ int main(int argc, char **argv)
#endif
RE_BlenderAnim(re, G.scene, frame, frame, G.scene->frame_step);
#ifndef DISABLE_PYTHON
- BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
+ if (G.f & G_DOSCRIPTLINKS)
+ BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
#endif
}
} else {
--
1.7.5.rc1
|
GitWeb