From c849cf8e8865998487e2b5ba613dda2705767960 Mon Sep 17 00:00:00 2001 From: Remco Burema Date: Fri, 7 Jan 2022 19:12:36 +0100 Subject: Refuse to listen to QT_PLUGIN_PATH. We don't need it ourselves, and it's a potentially serious attack vector. CURA-8475 --- cura_app.py | 1 + 1 file changed, 1 insertion(+) (limited to 'cura_app.py') diff --git a/cura_app.py b/cura_app.py index 57692ec0ae..0a63db9376 100755 --- a/cura_app.py +++ b/cura_app.py @@ -15,6 +15,7 @@ if "" in sys.path: import argparse import faulthandler import os +os.environ["QT_PLUGIN_PATH"] = "" # Security workaround: Don't need it, and introduces an attack vector, so set to nul. from PyQt5.QtNetwork import QSslConfiguration, QSslSocket -- cgit v1.2.3 From 03376b3df2e2958c3db91ff6d050e3ab6ba57c80 Mon Sep 17 00:00:00 2001 From: Remco Burema Date: Tue, 11 Jan 2022 09:20:57 +0100 Subject: Does need the env-var on Linux. But we need it opn platforms we might release an Enterprise edition for. Fortunately, Linux is not one of those platforms, so it all works out anyway. CURA-8475 --- cura_app.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'cura_app.py') diff --git a/cura_app.py b/cura_app.py index 0a63db9376..c96e4ba48e 100755 --- a/cura_app.py +++ b/cura_app.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# Copyright (c) 2020 Ultimaker B.V. +# Copyright (c) 2022 Ultimaker B.V. # Cura is released under the terms of the LGPLv3 or higher. # Remove the working directory from sys.path. @@ -15,7 +15,8 @@ if "" in sys.path: import argparse import faulthandler import os -os.environ["QT_PLUGIN_PATH"] = "" # Security workaround: Don't need it, and introduces an attack vector, so set to nul. +if sys.platform != "linux": # Turns out the Linux build _does_ use this, but we're not making an Enterprise release for that system anyway. + os.environ["QT_PLUGIN_PATH"] = "" # Security workaround: Don't need it, and introduces an attack vector, so set to nul. from PyQt5.QtNetwork import QSslConfiguration, QSslSocket -- cgit v1.2.3 From 8b7403c2f67a8ec3f0411f7ad545fd6e9cd75560 Mon Sep 17 00:00:00 2001 From: Remco Burema Date: Tue, 11 Jan 2022 10:29:21 +0100 Subject: Also ignore QML2_IMPORT_PATH. More secure. part of CURA-8475 --- cura_app.py | 1 + 1 file changed, 1 insertion(+) (limited to 'cura_app.py') diff --git a/cura_app.py b/cura_app.py index c96e4ba48e..03399b5614 100755 --- a/cura_app.py +++ b/cura_app.py @@ -17,6 +17,7 @@ import faulthandler import os if sys.platform != "linux": # Turns out the Linux build _does_ use this, but we're not making an Enterprise release for that system anyway. os.environ["QT_PLUGIN_PATH"] = "" # Security workaround: Don't need it, and introduces an attack vector, so set to nul. + os.environ["QML2_IMPORT_PATH"] = "" # Security workaround: Don't need it, and introduces an attack vector, so set to nul. from PyQt5.QtNetwork import QSslConfiguration, QSslSocket -- cgit v1.2.3