From d03a5fab7a4d0462091c93be52638015240f1afd Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Tue, 2 Aug 2022 10:42:39 +0200 Subject: Python: restrict name-space access for restricted evaluation From [0], restrict namsepace access to anything with an underscore prefix since these may be undocumented. [0]: 00c7e760b323e5fa46703d0e4769c8f1d9c35f2e --- source/blender/python/intern/bpy_driver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source/blender') diff --git a/source/blender/python/intern/bpy_driver.c b/source/blender/python/intern/bpy_driver.c index 33162fdc35c..6c078e4228c 100644 --- a/source/blender/python/intern/bpy_driver.c +++ b/source/blender/python/intern/bpy_driver.c @@ -350,6 +350,7 @@ static bool bpy_driver_secure_bytecode_validate(PyObject *expr_code, PyObject *d { for (int i = 0; i < PyTuple_GET_SIZE(py_code->co_names); i++) { PyObject *name = PyTuple_GET_ITEM(py_code->co_names, i); + const char *name_str = PyUnicode_AsUTF8(name); bool contains_name = false; for (int j = 0; dict_arr[j]; j++) { @@ -359,11 +360,11 @@ static bool bpy_driver_secure_bytecode_validate(PyObject *expr_code, PyObject *d } } - if (contains_name == false) { + if ((contains_name == false) || (name_str[0] == '_')) { fprintf(stderr, "\tBPY_driver_eval() - restricted access disallows name '%s', " "enable auto-execution to support\n", - PyUnicode_AsUTF8(name)); + name_str); return false; } } -- cgit v1.2.3