diff options
| author | Ghostkeeper <rubend@tutanota.com> | 2020-02-26 19:02:40 +0300 |
|---|---|---|
| committer | Ghostkeeper <rubend@tutanota.com> | 2020-02-26 19:02:40 +0300 |
| commit | bbb704ff2470b43342d0f7fd256bf05256a4d855 (patch) | |
| tree | f0a875f3e927d50c96bfef199cd770c6b8383429 /cura_app.py | |
| parent | d84bc5c682ff2d532d6315707cbf91638dbc840d (diff) | |
Remove working directory from sys.path
This prevents accidentally loading packages from the working directory that are not in Cura's build.
Contributes to issue CURA-7081.
Diffstat (limited to 'cura_app.py')
| -rwxr-xr-x | cura_app.py | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/cura_app.py b/cura_app.py index 2358108845..629091a156 100755 --- a/cura_app.py +++ b/cura_app.py @@ -1,12 +1,20 @@ #!/usr/bin/env python3 -# Copyright (c) 2019 Ultimaker B.V. +# Copyright (c) 2020 Ultimaker B.V. # Cura is released under the terms of the LGPLv3 or higher. +# Remove the working directory from sys.path. +# This fixes a security issue where Cura could import Python packages from the +# current working directory, and therefore be made to execute locally installed +# code (e.g. in the user's home directory where AppImages by default run from). +# See issue CURA-7081. +import sys +if "" in sys.path: + sys.path.remove("") + import argparse import faulthandler import os -import sys # Workaround for a race condition on certain systems where there # is a race condition between Arcus and PyQt. Importing Arcus |