diff options
author | Campbell Barton <ideasman42@gmail.com> | 2011-04-28 10:20:47 +0400 |
---|---|---|
committer | Campbell Barton <ideasman42@gmail.com> | 2011-04-28 10:20:47 +0400 |
commit | 11305bd688fa7306d9d2c9eac2525df35ed31196 (patch) | |
tree | c792a28d9cb23b350955c9071d79abe71a4aaa8d /source | |
parent | 7a2d6482e3971d669427697a8cd9fe0b1563bb83 (diff) |
CMake build option for security report: CVE-2009-3850
Nothing is changed by default but some linux distributions want to have executing python be opt-in.
This keeps the same functionality but disables auto-run from factory settings and in background mode unless its enabled as a command line argument.
This CMake option is marked as advanced and wont show in the regular options list so its less likely to be enabled by people that like to turn everything ON without reading descriptions :)
Diffstat (limited to 'source')
-rw-r--r-- | source/blender/blenkernel/CMakeLists.txt | 4 | ||||
-rw-r--r-- | source/blender/blenkernel/intern/blender.c | 6 | ||||
-rw-r--r-- | source/blender/windowmanager/CMakeLists.txt | 4 | ||||
-rw-r--r-- | source/blender/windowmanager/intern/wm_files.c | 6 | ||||
-rw-r--r-- | source/creator/CMakeLists.txt | 4 | ||||
-rw-r--r-- | source/creator/creator.c | 16 |
6 files changed, 37 insertions, 3 deletions
diff --git a/source/blender/blenkernel/CMakeLists.txt b/source/blender/blenkernel/CMakeLists.txt index 47d393559f4..0b616f81ef3 100644 --- a/source/blender/blenkernel/CMakeLists.txt +++ b/source/blender/blenkernel/CMakeLists.txt @@ -282,6 +282,10 @@ endif() if(WITH_PYTHON) list(APPEND INC ../python ${PYTHON_INCLUDE_DIRS}) add_definitions(-DWITH_PYTHON) + + if(WITH_PYTHON_SECURITY) + add_definitions(-DWITH_PYTHON_SECURITY) + endif() endif() if(WITH_OPENMP) diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c index d1a181046a6..ce6a95430e3 100644 --- a/source/blender/blenkernel/intern/blender.c +++ b/source/blender/blenkernel/intern/blender.c @@ -140,8 +140,12 @@ void initglobals(void) G.charstart = 0x0000; G.charmin = 0x0000; G.charmax = 0xffff; - + +#ifndef WITH_PYTHON_SECURITY /* default */ G.f |= G_SCRIPT_AUTOEXEC; +#else + G.f &= ~G_SCRIPT_AUTOEXEC; +#endif } /***/ diff --git a/source/blender/windowmanager/CMakeLists.txt b/source/blender/windowmanager/CMakeLists.txt index db0815efa53..1a056b56eff 100644 --- a/source/blender/windowmanager/CMakeLists.txt +++ b/source/blender/windowmanager/CMakeLists.txt @@ -98,6 +98,10 @@ endif() if(WITH_PYTHON) list(APPEND INC ../python ${PYTHON_INCLUDE_DIRS}) add_definitions(-DWITH_PYTHON) + + if(WITH_PYTHON_SECURITY) + add_definitions(-DWITH_PYTHON_SECURITY) + endif() endif() if(WITH_GAMEENGINE) diff --git a/source/blender/windowmanager/intern/wm_files.c b/source/blender/windowmanager/intern/wm_files.c index f5fe98ae4d4..05cf71fcd83 100644 --- a/source/blender/windowmanager/intern/wm_files.c +++ b/source/blender/windowmanager/intern/wm_files.c @@ -418,6 +418,12 @@ int WM_read_homefile(bContext *C, ReportList *reports, short from_memory) if(success==0) { success = BKE_read_file_from_memory(C, datatoc_startup_blend, datatoc_startup_blend_size, NULL); if (wmbase.first == NULL) wm_clear_default_size(C); + +#ifdef WITH_PYTHON_SECURITY /* not default */ + /* use alternative setting for security nuts + * otherwise we'd need to patch the binary blob - startup.blend.c */ + U.flag |= USER_SCRIPT_AUTOEXEC_DISABLE; +#endif } /* prevent buggy files that had G_FILE_RELATIVE_REMAP written out by mistake. Screws up autosaves otherwise diff --git a/source/creator/CMakeLists.txt b/source/creator/CMakeLists.txt index 87850528648..d1f5cddc981 100644 --- a/source/creator/CMakeLists.txt +++ b/source/creator/CMakeLists.txt @@ -75,6 +75,10 @@ endif() if(WITH_PYTHON) blender_include_dirs(../blender/python) add_definitions(-DWITH_PYTHON) + + if(WITH_PYTHON_SECURITY) + add_definitions(-DWITH_PYTHON_SECURITY) + endif() endif() if(WITH_GAMEENGINE) diff --git a/source/creator/creator.c b/source/creator/creator.c index 758989b3eb0..e8763c42efe 100644 --- a/source/creator/creator.c +++ b/source/creator/creator.c @@ -1074,10 +1074,22 @@ static void setupArguments(bContext *C, bArgs *ba, SYS_SystemHandle *syshandle) BLI_argsAdd(ba, 1, "/?", NULL, "\n\tPrint this help text and exit (windows only)", print_help, ba); BLI_argsAdd(ba, 1, "-v", "--version", "\n\tPrint Blender version and exit", print_version, NULL); + + /* only to give help message */ +#ifndef WITH_PYTHON_SECURITY /* default */ +# define PY_ENABLE_AUTO ", (default)" +# define PY_DISABLE_AUTO "" +#else +# define PY_ENABLE_AUTO "" +# define PY_DISABLE_AUTO ", (compiled as non-standard default)" +#endif - BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic python script execution (default)", enable_python, NULL); - BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable automatic python script execution (pydrivers, pyconstraints, pynodes)", disable_python, NULL); + BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic python script execution" PY_ENABLE_AUTO, enable_python, NULL); + BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable automatic python script execution (pydrivers, pyconstraints, pynodes)" PY_DISABLE_AUTO, disable_python, NULL); +#undef PY_ENABLE_AUTO +#undef PY_DISABLE_AUTO + BLI_argsAdd(ba, 1, "-b", "--background", "<file>\n\tLoad <file> in background (often used for UI-less rendering)", background_mode, NULL); BLI_argsAdd(ba, 1, "-a", NULL, playback_doc, playback_mode, NULL); |