Bug#503632: blender: Python scripts load modules from current directory

Sun, 26 Oct 2008 21:49:58 -0700 

tag 503632 patch
thanks

On Mon, Oct 27, 2008 at 12:37:12AM -0400, James Vega wrote:
> Blender's BPY_interface calls PySys_SetArgv such that Python prepends
> sys.path with an empty string.  This allows the possibility to run
> arbitrary code on the user's system if there is a python file in
> Blender's working directory named the same as one that Blender's python
> scripts try to import.

Attached patch sanitizes Python's path.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>

diff -u blender-2.46+dfsg/debian/changelog blender-2.46+dfsg/debian/changelog
--- blender-2.46+dfsg/debian/changelog
+++ blender-2.46+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+blender (2.46+dfsg-4.1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload.
+  * Remove empty elements from sys.path to prevent loading arbitrary Python
+    scripts from the current working directory.  (Closes: #503632)
+     - debian/patches/01_sanitize_sys.path
+
+ -- James Vega <[EMAIL PROTECTED]>  Wed, 22 Oct 2008 22:48:58 -0400
+
 blender (2.46+dfsg-4) unstable; urgency=low
 
   * Fix python syntax warning in import_dxf.py, which led to nasty output
diff -u blender-2.46+dfsg/debian/patches/series blender-2.46+dfsg/debian/patches/series
--- blender-2.46+dfsg/debian/patches/series
+++ blender-2.46+dfsg/debian/patches/series
@@ -1,4 +1,5 @@
 #10_gnukfreebsd_support
+01_sanitize_sys.path
 02_tmp_in_HOME
 10_use_systemwide_ftgl
 20_fix_ftbfs_with_latest_ftgl
only in patch2:
unchanged:
--- blender-2.46+dfsg.orig/debian/patches/01_sanitize_sys.path
+++ blender-2.46+dfsg/debian/patches/01_sanitize_sys.path
@@ -0,0 +1,13 @@
+--- a/source/blender/python/BPY_interface.c
++++ b/source/blender/python/BPY_interface.c
+@@ -225,6 +225,10 @@
+ 	//Start the interpreter
+ 	Py_Initialize(  );
+ 	PySys_SetArgv( argc_copy, argv_copy );
++	/* Sanitize sys.path to prevent relative imports loading modules in
++	 * the current working directory
++	 */
++	PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
+ 
+ 	/* Initialize thread support (also acquires lock) */
+ 	PyEval_InitThreads();

Attachment: signature.asc
Description: Digital signature

Reply via email to