1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
From 072e11130a2f96642972b0d4ac7ad2a9cd19fbf2 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 20 Apr 2011 16:42:17 +0200
Subject: [PATCH] Flip default of "Auto Run Python Scripts" to disabled
(CVE-2009-3850)
Manual overriding through new parameter -666 is supported
---
source/blender/blenkernel/intern/blender.c | 11 ++++++++++-
source/blender/python/api2_2x/sceneRender.c | 3 ++-
source/creator/creator.c | 14 ++++++++++----
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c
index bf208c8..029b7cf 100644
--- a/source/blender/blenkernel/intern/blender.c
+++ b/source/blender/blenkernel/intern/blender.c
@@ -388,7 +388,16 @@ static void setup_app_data(BlendFileData *bfd, char *filename)
if (G.f & G_DEBUG) bfd->globalf |= G_DEBUG;
else bfd->globalf &= ~G_DEBUG;
- if ((U.flag & USER_DONT_DOSCRIPTLINKS)) bfd->globalf &= ~G_DOSCRIPTLINKS;
+ if (G.f & G_DOSCRIPTLINKS) {
+ /* Blender running in -666 mode */
+ /* NOTE: In background mode U.flag has not been initialized from ~/.B.blend */
+ if (! G.background && (U.flag & USER_DONT_DOSCRIPTLINKS))
+ /* Prefer disabled "Auto Run Python Scripts" over -666 */
+ bfd->globalf &= ~G_DOSCRIPTLINKS;
+ } else {
+ /* Blender NOT running in -666 mode, deny pulling G_DOSCRIPTLINKS in */
+ bfd->globalf &= ~G_DOSCRIPTLINKS;
+ }
G.f= bfd->globalf;
diff --git a/source/blender/python/api2_2x/sceneRender.c b/source/blender/python/api2_2x/sceneRender.c
index 1bf2b75..e34a361 100644
--- a/source/blender/python/api2_2x/sceneRender.c
+++ b/source/blender/python/api2_2x/sceneRender.c
@@ -498,7 +498,8 @@ static PyObject *RenderData_Render( BPy_RenderData * self )
RE_BlenderFrame(re, G.scene, G.scene->r.cfra);
- BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
+ if (G.f & G_DOSCRIPTLINKS)
+ BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
set_scene_bg( oldsce );
}
diff --git a/source/creator/creator.c b/source/creator/creator.c
index a562fc3..994180d 100644
--- a/source/creator/creator.c
+++ b/source/creator/creator.c
@@ -232,7 +232,8 @@ static void print_help(void)
printf (" -nojoystick\tDisable joystick support\n");
printf (" -noglsl\tDisable GLSL shading\n");
printf (" -h\t\tPrint this help text\n");
- printf (" -y\t\tDisable automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes)\n");
+ printf (" -666\t\tEnables automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes)\n");
+ printf (" -y\t\tDisable automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes) (default)\n");
printf (" -P <filename>\tRun the given Python script (filename or Blender Text)\n");
#ifdef WIN32
printf (" -R\t\tRegister .blend extension\n");
@@ -366,7 +367,7 @@ int main(int argc, char **argv)
/* first test for background */
- G.f |= G_DOSCRIPTLINKS; /* script links enabled by default */
+ G.f &= ~G_DOSCRIPTLINKS; /* script links disabled by default */
for(a=1; a<argc; a++) {
@@ -388,6 +389,10 @@ int main(int argc, char **argv)
exit(0);
}
+ if (!strcmp(argv[a], "-666")){
+ G.f |= G_DOSCRIPTLINKS;
+ }
+
/* Handle -* switches */
else if(argv[a][0] == '-') {
switch(argv[a][1]) {
@@ -405,7 +410,7 @@ int main(int argc, char **argv)
a= argc;
break;
- case 'y':
+ case 'y': /* NOTE: -y works the exact opposite way in version 2.57! */
G.f &= ~G_DOSCRIPTLINKS;
break;
@@ -680,7 +685,8 @@ int main(int argc, char **argv)
#endif
RE_BlenderAnim(re, G.scene, frame, frame, G.scene->frame_step);
#ifndef DISABLE_PYTHON
- BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
+ if (G.f & G_DOSCRIPTLINKS)
+ BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
#endif
}
} else {
--
1.7.5.rc1
|
GitWeb