Fix for security issue loading blend's

Auto-Execute option could be overridden by opening a startup.blend
author: Campbell Barton <ideasman42@gmail.com> 2015-01-19 16:58:32 +0300
committer: Campbell Barton <ideasman42@gmail.com> 2015-01-19 16:58:32 +0300
commit: 45dfb3b74231dcaffcc8677435488b6eb18132de (patch)
tree: 6804c28796d17e83967c09d655c5e1ef5f8b3f7e /source/blender/blenkernel/intern/blender.c
parent: 4c74fb24a2b2229d11954c70ad8f29b5c943cd1d (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c
index 96f769587d9..be72fe29d82 100644
--- a/source/blender/blenkernel/intern/blender.c
+++ b/source/blender/blenkernel/intern/blender.c
@@ -271,6 +271,17 @@ static void setup_app_data(bContext *C, BlendFileData *bfd, const char *filepath
 		BKE_userdef_free();
 		
 		U = *bfd->user;
+
+		/* Security issue: any blend file could include a USER block.
+		 *
+		 * Currently we load prefs from BLENDER_STARTUP_FILE and later on load BLENDER_USERPREF_FILE,
+		 * to load the preferences defined in the users home dir.
+		 *
+		 * This means we will never accidentally (or maliciously)
+		 * enable scripts auto-execution by loading a '.blend' file.
+		 */
+		U.flag |= USER_SCRIPT_AUTOEXEC_DISABLE;
+
 		MEM_freeN(bfd->user);
 	}
author	Campbell Barton <ideasman42@gmail.com>	2015-01-19 16:58:32 +0300
committer	Campbell Barton <ideasman42@gmail.com>	2015-01-19 16:58:32 +0300
commit	45dfb3b74231dcaffcc8677435488b6eb18132de (patch)
tree	6804c28796d17e83967c09d655c5e1ef5f8b3f7e /source/blender/blenkernel/intern/blender.c
parent	4c74fb24a2b2229d11954c70ad8f29b5c943cd1d (diff)