From bbb704ff2470b43342d0f7fd256bf05256a4d855 Mon Sep 17 00:00:00 2001
From: Ghostkeeper <rubend@tutanota.com>
Date: Wed, 26 Feb 2020 17:02:40 +0100
Subject: Remove working directory from sys.path

This prevents accidentally loading packages from the working directory that are not in Cura's build.

Contributes to issue CURA-7081.
---
 cura_app.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'cura_app.py')

diff --git a/cura_app.py b/cura_app.py
index 2358108845..629091a156 100755
--- a/cura_app.py
+++ b/cura_app.py
@@ -1,12 +1,20 @@
 #!/usr/bin/env python3
 
-# Copyright (c) 2019 Ultimaker B.V.
+# Copyright (c) 2020 Ultimaker B.V.
 # Cura is released under the terms of the LGPLv3 or higher.
 
+# Remove the working directory from sys.path.
+# This fixes a security issue where Cura could import Python packages from the
+# current working directory, and therefore be made to execute locally installed
+# code (e.g. in the user's home directory where AppImages by default run from).
+# See issue CURA-7081.
+import sys
+if "" in sys.path:
+    sys.path.remove("")
+
 import argparse
 import faulthandler
 import os
-import sys
 
 # Workaround for a race condition on certain systems where there
 # is a race condition between Arcus and PyQt. Importing Arcus
-- 
cgit v1.2.3