diff options
author | 2011-05-17 16:11:52 +0000 | |
---|---|---|
committer | 2011-05-17 16:11:52 +0000 | |
commit | 329af1aa1f79b2fb9095a919ecd221d8717a4ebf (patch) | |
tree | e91394361ea940b7fe604593081c7c935363664c /media-gfx | |
parent | Use proper patches. Bug #347485. Thanks to Dries Harnie <botje.linux@gmail.com> (diff) | |
download | gentoo-2-329af1aa1f79b2fb9095a919ecd221d8717a4ebf.tar.gz gentoo-2-329af1aa1f79b2fb9095a919ecd221d8717a4ebf.tar.bz2 gentoo-2-329af1aa1f79b2fb9095a919ecd221d8717a4ebf.zip |
media-gfx/blender: Update patch for CVE-2009-3850 to v2
(Portage version: 2.1.9.48/cvs/Linux x86_64)
Diffstat (limited to 'media-gfx')
-rw-r--r-- | media-gfx/blender/ChangeLog | 8 | ||||
-rw-r--r-- | media-gfx/blender/blender-2.57-r1.ebuild | 451 | ||||
-rw-r--r-- | media-gfx/blender/files/blender-2.57-CVE-2009-3850-v2.patch | 172 |
3 files changed, 630 insertions, 1 deletions
diff --git a/media-gfx/blender/ChangeLog b/media-gfx/blender/ChangeLog index 450d5b8a00bb..52c8c4957d84 100644 --- a/media-gfx/blender/ChangeLog +++ b/media-gfx/blender/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for media-gfx/blender # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/media-gfx/blender/ChangeLog,v 1.195 2011/05/12 14:56:00 sping Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-gfx/blender/ChangeLog,v 1.196 2011/05/17 16:11:52 sping Exp $ + +*blender-2.57-r1 (17 May 2011) + + 17 May 2011; Sebastian Pipping <sping@gentoo.org> +blender-2.57-r1.ebuild, + +files/blender-2.57-CVE-2009-3850-v2.patch: + Update patch for CVE-2009-3850 to v2 12 May 2011; Sebastian Pipping <sping@gentoo.org> blender-2.57.ebuild, +files/blender-2.57-insecure.desktop: diff --git a/media-gfx/blender/blender-2.57-r1.ebuild b/media-gfx/blender/blender-2.57-r1.ebuild new file mode 100644 index 000000000000..4ec6b5fa3320 --- /dev/null +++ b/media-gfx/blender/blender-2.57-r1.ebuild @@ -0,0 +1,451 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/media-gfx/blender/blender-2.57-r1.ebuild,v 1.1 2011/05/17 16:11:52 sping Exp $ + +PYTHON_DEPEND="3:3.2" + +EAPI=3 + +if [[ ${PV} == *9999 ]] ; then +SCM="subversion" +ESVN_REPO_URI="https://svn.blender.org/svnroot/bf-blender/trunk/blender" +fi + +inherit eutils python versionator flag-o-matic toolchain-funcs ${SCM} + +IUSE="+game-engine player +elbeem +openexr ffmpeg jpeg2k openal openmp \ + +dds debug fftw jack apidoc sndfile lcms tweak-mode sdl sse \ + redcode +zlib iconv contrib collada verse" + +# not complete/working features +#IUSE="verse collada test" + +LANGS="en ar bg ca cs de el es fi fr hr it ja ko nl pl pt_BR ro ru sr sv uk zh_CN" +for X in ${LANGS} ; do + IUSE="${IUSE} linguas_${X}" +done + +DESCRIPTION="3D Creation/Animation/Publishing System" +HOMEPAGE="http://www.blender.org" +if [[ ${PV} == *9999 ]] ; then + SRC_URI="" +elif [[ ${PV%_p*} != ${PV} ]] ; then # Gentoo snapshot + SRC_URI="mirror://gentoo/${P}.tar.xz" +else # Official release + SRC_URI="http://download.blender.org/source/${P}.tar.gz" +fi + +#SLOT="$(get_version_component_range 1-2)" +SLOT="2.5" +LICENSE="|| ( GPL-2 BL )" +KEYWORDS="~amd64 ~x86" + +RDEPEND="media-libs/jpeg + media-libs/libpng + x11-libs/libXi + x11-libs/libX11 + media-libs/tiff + media-libs/libsamplerate + virtual/opengl + >=media-libs/freetype-2.0 + virtual/libintl + media-libs/glew + dev-cpp/eigen:2 + >=sci-physics/bullet-2.76 + iconv? ( virtual/libiconv ) + zlib? ( sys-libs/zlib ) + sdl? ( media-libs/libsdl[audio,joystick] ) + openexr? ( media-libs/openexr ) + ffmpeg? ( + virtual/ffmpeg[x264,mp3,encode,theora] + jpeg2k? ( virtual/ffmpeg[x264,mp3,encode,theora,jpeg2k] ) + ) + openal? ( >=media-libs/openal-1.6.372 ) + fftw? ( sci-libs/fftw:3.0 ) + jack? ( media-sound/jack-audio-connection-kit ) + sndfile? ( media-libs/libsndfile ) + lcms? ( media-libs/lcms )" + +DEPEND=">=dev-util/scons-0.98 + apidoc? ( + dev-python/sphinx + >=app-doc/doxygen-1.5.7[-nodot] + ) + x11-base/xorg-server + ${RDEPEND}" + +# configure internationalization only if LINGUAS have more +# languages than 'en', otherwise must be disabled +if [[ ${LINGUAS} != "en" && -n ${LINGUAS} ]]; then + DEPEND="${DEPEND} + sys-devel/gettext" +fi + +blend_with() { + local UWORD="$2" + [ -z "${UWORD}" ] && UWORD="$1" + if useq $1; then + echo "WITH_BF_${UWORD}=1" | tr '[:lower:]' '[:upper:]' \ + >> "${S}"/user-config.py + else + echo "WITH_BF_${UWORD}=0" | tr '[:lower:]' '[:upper:]' \ + >> "${S}"/user-config.py + fi +} + +src_unpack() { +if [[ ${PV} == *9999 ]] ; then + subversion_fetch + if use contrib; then + S="${S}"/release/scripts/addons_contrib subversion_fetch \ + "https://svn.blender.org/svnroot/bf-extensions/contrib/py/scripts/addons/" + fi +else + unpack ${A} +fi +} + +pkg_setup() { + enable_openmp=0 + if use openmp; then + if tc-has-openmp; then + enable_openmp=1 + else + ewarn "You are using gcc built without 'openmp' USE." + ewarn "Switch CXX to an OpenMP capable compiler." + die "Need openmp" + fi + fi + python_set_active_version 3 +} + +src_prepare() { + #epatch "${FILESDIR}"/${PN}-${SLOT}-CVE-2008-1103.patch + #epatch "${FILESDIR}"/${PN}-${SLOT}-CVE-2008-4863.patch + #epatch "${FILESDIR}"/${PN}-2.49a-sys-openjpeg.patch + epatch "${FILESDIR}"/${P}-bmake.patch + epatch "${FILESDIR}"/${P}-doxygen.patch + epatch "${FILESDIR}"/${P}-libav-0.7.patch + epatch "${FILESDIR}"/${P}-CVE-2009-3850-v2.patch + epatch "${FILESDIR}"/${P}-desktop.patch + + # OpenJPEG + einfo "Removing bundled OpenJPEG ..." + rm -r extern/libopenjpeg + + # Glew + einfo "Removing bundled Glew ..." + rm -r extern/glew + epatch "${FILESDIR}"/${P}-glew.patch + + # binreloc +# einfo "Removing bundled binreloc ..." +# rm -r extern/binreloc +# epatch "${FILESDIR}"/${PN}-${SLOT}-binreloc.patch + + # Eigen2 + einfo "Removing bundled Eigen2 ..." + rm -r extern/Eigen2 + epatch "${FILESDIR}"/${P}-eigen.patch + + # Bullet +# einfo "Removing bundled Bullet2 ..." +# rm -r extern/bullet2 +# epatch "${FILESDIR}"/${PN}-${SLOT}-bullet.patch +} + +src_configure() { + # add system openjpeg into Scons build options. + cat <<- EOF >> "${S}"/user-config.py + BF_OPENJPEG="/usr" + BF_OPENJPEG_INC="/usr/include" + BF_OPENJPEG_LIB="openjpeg" + EOF + + # FIX: littlecms includes path aren't specified + if use lcms; then + cat <<- EOF >> "${S}"/user-config.py + BF_LCMS_INC="/usr/include/" + BF_LCMS_LIB="lcms" + BF_LCMS_LIBPATH="/usr/lib/" + EOF + fi + + # add system sci-physic/bullet into Scons build options. +# cat <<- EOF >> "${S}"/user-config.py +# WITH_BF_BULLET=1 +# BF_BULLET="/usr/include" +# BF_BULLET_INC="/usr/include /usr/include/BulletCollision /usr/include/BulletDynamics /usr/include/LinearMath /usr/include/BulletSoftBody" +# BF_BULLET_LIB="BulletSoftBody BulletDynamics BulletCollision LinearMath" +# EOF + + #add iconv into Scons build options. + if use !elibc_glibc && use !elibc_uclibc && use iconv; then + cat <<- EOF >> "${S}"/user-config.py + WITH_BF_ICONV=1 + BF_ICONV="/usr" + EOF + fi + + # configure internationalization only if LINGUAS have more + # languages than 'en', otherwise must be disabled + [[ -z ${LINGUAS} ]] || [[ ${LINGUAS} == "en" ]] && echo "WITH_BF_INTERNATIONAL=0" >> "${S}"/user-config.py + + # configure Elbeem fluid system + use elbeem || echo "BF_NO_ELBEEM=1" >> "${S}"/user-config.py + + # configure Tweak Mode + use tweak-mode && echo "BF_TWEAK_MODE=1" >> "${S}"/user-config.py + + # FIX: Game Engine module needs to be active to build the Blender Player + if ! use game-engine && use player; then + elog "Forcing Game Engine [+game-engine] as required by Blender Player [+player]" + echo "WITH_BF_GAMEENGINE=1" >> "${S}"/user-config.py + else + blend_with game-engine gameengine + fi + + # set CFLAGS used in /etc/make.conf correctly + echo "CFLAGS=[`for i in ${CFLAGS[@]}; do printf "%s \'$i"\',; done`] " \ + | sed -e "s:,]: ]:" >> "${S}"/user-config.py + + # set CXXFLAGS used in /etc/make.conf correctly + local FILTERED_CXXFLAGS="`for i in ${CXXFLAGS[@]}; do printf "%s \'$i"\',; done`" + echo "CXXFLAGS=[${FILTERED_CXXFLAGS}]" | sed -e "s:,]: ]:" >> "${S}"/user-config.py + echo "BGE_CXXFLAGS=[${FILTERED_CXXFLAGS}]" | sed -e "s:,]: ]:" >> "${S}"/user-config.py + + # reset general options passed to the C/C++ compilers (useless hardcoded flags) + # FIX: forcing '-funsigned-char' fixes an anti-aliasing issue with menu + # shadows, see bug #276338 for reference + echo "CCFLAGS= ['-funsigned-char', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64']" >> "${S}"/user-config.py + + # set LDFLAGS used in /etc/make.conf correctly + local FILTERED_LDFLAGS="`for i in ${LDFLAGS[@]}; do printf "%s \'$i"\',; done`" + echo "LINKFLAGS=[${FILTERED_LDFLAGS}]" | sed -e "s:,]: ]:" >> "${S}"/user-config.py + echo "PLATFORM_LINKFLAGS=[${FILTERED_LDFLAGS}]" | sed -e "s:,]: ]:" >> "${S}"/user-config.py + + # reset REL_* variables (useless hardcoded flags) + cat <<- EOF >> "${S}"/user-config.py + REL_CFLAGS=[] + REL_CXXFLAGS=[] + REL_CCFLAGS=[] + EOF + + # reset warning flags (useless for NON blender developers) + cat <<- EOF >> "${S}"/user-config.py + C_WARN =[ '-w', '-g0' ] + CC_WARN =[ '-w', '-g0' ] + CXX_WARN=[ '-w', '-g0' ] + EOF + + # detecting -j value from MAKEOPTS + local NUMJOBS="$( echo "${MAKEOPTS}" | sed -ne 's,.*-j\([[:digit:]]\+\).*,\1,p' )" + [[ -z "${NUMJOBS}" ]] && NUMJOBS=1 # resetting to -j1 for empty MAKEOPTS + + # generic settings which differ from the defaults from linux2-config.py + cat <<- EOF >> "${S}"/user-config.py + BF_OPENGL_LIB='GL GLU X11 Xi GLEW' + BF_INSTALLDIR="../install" + WITHOUT_BF_PYTHON_INSTALL=1 + BF_PYTHON="/usr" + BF_PYTHON_VERSION="3.2" + BF_PYTHON_ABI_FLAGS="" + BF_BUILDINFO=0 + BF_QUIET=1 + BF_NUMJOBS=${NUMJOBS} + BF_LINE_OVERWRITE=0 + WITH_BF_FHS=1 + WITH_BF_BINRELOC=0 + WITH_BF_STATICOPENGL=0 + WITH_BF_OPENMP=${enable_openmp} + EOF + + # configure WITH_BF* Scons build options + for arg in \ + 'sdl' \ + 'apidoc docs' \ + 'lcms' \ + 'jack' \ + 'sndfile' \ + 'openexr' \ + 'dds' \ + 'fftw fftw3' \ + 'jpeg2k openjpeg' \ + 'openal'\ + 'ffmpeg' \ + 'ffmpeg ogg' \ + 'player' \ + 'collada' \ + 'sse rayoptimization' \ + 'redcode' \ + 'zlib' \ + 'verse' ; do + blend_with ${arg} + done + + # enable debugging/testing support + use debug && echo "BF_DEBUG=1" >> "${S}"/user-config.py + use test && echo "BF_UNIT_TEST=1" >> "${S}"/user-config.py +} + +src_compile() { + scons || die \ + '!!! Please add "${S}/scons.config" when filing bugs reports \ + to bugs.gentoo.org' + + einfo "Building plugins ..." + cd "${WORKDIR}"/install/${PV}/plugins/ \ + || die "dir ${WORKDIR}/install/plugins/ do not exist" + chmod 755 bmake + + # FIX: plugins are built without respecting user's LDFLAGS + emake \ + CFLAGS="${CFLAGS} -fPIC" \ + LDFLAGS="$(raw-ldflags) -Bshareable" \ + > /dev/null \ + || die "plugins compilation failed" + + # final cleanup + rm -r "${WORKDIR}"/install/{Python-license.txt,icons,GPL-license.txt,copyright.txt} + +} + +src_install() { + # creating binary wrapper + cat <<- EOF >> "${WORKDIR}/install/blender-${SLOT}" + #!/bin/sh + + # stop this script if the local blender path is a symlink + if [ -L \${HOME}/.blender ]; then + echo "Detected a symbolic link for \${HOME}/.blender" + echo "Sorry, to avoid dangerous situations, the Blender binary can" + echo "not be started until you have removed the symbolic link:" + echo " # rm -i \${HOME}/.blender" + exit 1 + fi + + export BLENDER_SYSTEM_SCRIPTS="/usr/share/blender/${SLOT}/scripts" + export BLENDER_SYSTEM_DATAFILES="/usr/share/blender/${SLOT}/datafiles" + exec /usr/bin/blender-bin-${SLOT} \$* + EOF + + # install binaries + exeinto /usr/bin/ + cp "${WORKDIR}/install/blender" "${WORKDIR}/install/blender-bin-${SLOT}" + doexe "${WORKDIR}/install/blender-bin-${SLOT}" + doexe "${WORKDIR}/install/blender-${SLOT}" + if use player; then + cp "${WORKDIR}/install/blenderplayer" \ + "${WORKDIR}/install/blenderplayer-${SLOT}" + doexe "${WORKDIR}/install/blenderplayer-${SLOT}" + fi + if use verse; then + cp "${WORKDIR}"/install/bin/verse_server \ + "${WORKDIR}/install/bin/verse_server-${SLOT}" + doexe "${WORKDIR}"/install/bin/verse_server-${SLOT} + fi + + # install plugins + exeinto /usr/share/${PN}/${SLOT}/textures + doexe "${WORKDIR}"/install/${PV}/plugins/texture/*.so + exeinto /usr/share/${PN}/${SLOT}/sequences + doexe "${WORKDIR}"/install/${PV}/plugins/sequence/*.so + insinto /usr/include/${PN}/${SLOT} + doins "${WORKDIR}"/install/${PV}/plugins/include/*.h +# rm -r "${WORKDIR}"/install/${PV}/plugins || die + + # install desktop file + insinto /usr/share/pixmaps + cp release/freedesktop/icons/scalable/blender.svg \ + release/freedesktop/icons/scalable/blender-${SLOT}.svg + doins release/freedesktop/icons/scalable/blender-${SLOT}.svg + insinto /usr/share/applications + cp release/freedesktop/blender.desktop \ + release/freedesktop/blender-${SLOT}.desktop + doins release/freedesktop/blender-${SLOT}.desktop || die + newins "${FILESDIR}"/${P}-insecure.desktop ${PN}-${SLOT}-insecure.desktop || die + + # install docs +# use doc && dodoc release/text/BlenderQuickStart.pdf + if use apidoc; then + + einfo "Generating (BGE) Blender Game Engine API docs ..." + docinto "API/BGE_API" + dohtml -r "${WORKDIR}"/blender/doc/* +# rm -r "${WORKDIR}"/blender/doc + +# einfo "Generating (BPY) Blender Python API docs ..." +# epydoc source/blender/python/doc/*.py -v \ +# -o doc/BPY_API \ +# --quiet --quiet --quiet \ +# --simple-term \ +# --inheritance=included \ +# --graph=all \ +# --dotpath /usr/bin/dot \ +# || die "epydoc failed." +# docinto "API/python" +# dohtml -r doc/BPY_API/* + + einfo "Generating Blender C/C++ API docs ..." + pushd "${WORKDIR}"/blender/doc/doxygen > /dev/null + doxygen -u Doxyfile + doxygen || die "doxygen failed to build API docs." + docinto "API/blender" + dohtml -r html/* + popd > /dev/null + fi + + # installing blender + insinto /usr/share/${PN}/${SLOT} + doins -r "${WORKDIR}"/install/${PV}/* +# doins -r "${WORKDIR}"/install/${SLOT}/* + + # FIX: making all python scripts readable only by group 'users', + # so nobody can modify scripts apart root user, but python + # cache (*.pyc) can be written and shared across the users. +# chown root:users -R "${D}/usr/share/${PN}/${SLOT}/scripts" || die +# chmod 750 -R "${D}/usr/share/${PN}/${SLOT}/scripts" || die +} + +pkg_preinst() { + if [ -h "${ROOT}/usr/$(get_libdir)/blender/plugins/include" ]; + then + rm -r "${ROOT}"/usr/$(get_libdir)/blender/plugins/include + fi +} + +pkg_postinst() { + echo + elog "Blender uses python integration. As such, may have some" + elog "inherit risks with running unknown python scripting." + elog +# elog "CVE-2008-1103-1.patch has been removed as it interferes" +# elog "with autosave undo features. Up stream blender coders" +# elog "have not addressed the CVE issue as the status is still" +# elog "a CANDIDATE and not CONFIRMED." +# elog +# elog "CVE-2008-4863.patch has been remove as it interferes" +# elog "with the load of bpy_ops.py and all the UI python" +# elog "scripts." +# elog + elog "It is recommended to change your blender temp directory" + elog "from /tmp to /home/user/tmp or another tmp file under your" + elog "home directory. This can be done by starting blender, then" + elog "dragging the main menu down do display all paths." + elog + elog "Blender has its own internal rendering engine but you" + elog "can export to external renderers for image computation" + elog "like: YafRay[1], sunflow[2], PovRay[3] and luxrender[4]" + elog + elog "If you need one of them just emerge it:" + elog " [1] emerge -av media-gfx/yafray" + elog " [2] emerge -av media-gfx/sunflow" + elog " [3] emerge -av media-gfx/povray" + elog " [4] emerge -av media-gfx/luxrender" + elog + elog "When setting the Blender paths with the User Preferences" + elog "dialog box, remember to NOT declare your home's paths as:" + elog "~/.blender, but as: /home/user/.blender; in other words," + elog "DO NOT USE the tilde inside the paths, as Blender is not" + elog "able to handle it, ignoring your customizations." +} diff --git a/media-gfx/blender/files/blender-2.57-CVE-2009-3850-v2.patch b/media-gfx/blender/files/blender-2.57-CVE-2009-3850-v2.patch new file mode 100644 index 000000000000..526e0f7f98ae --- /dev/null +++ b/media-gfx/blender/files/blender-2.57-CVE-2009-3850-v2.patch @@ -0,0 +1,172 @@ +From c4181c5639da5c6a6df31b434498a44d0d680487 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Tue, 17 May 2011 17:37:11 +0200 +Subject: [PATCH] Disable execution of embedded Python code unless run with + --enable-autoexec|-y|-666 (CVE-2009-3850) + +--- + source/blender/blenkernel/intern/blender.c | 3 ++- + source/blender/makesrna/intern/rna_userdef.c | 16 +++++++++++++--- + source/blender/windowmanager/intern/wm_files.c | 7 ++++++- + source/blender/windowmanager/intern/wm_operators.c | 16 ++++++++++++---- + source/creator/creator.c | 10 ++++++---- + 5 files changed, 39 insertions(+), 13 deletions(-) + +diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c +index 5f08505..9c27ac7 100644 +--- a/source/blender/blenkernel/intern/blender.c ++++ b/source/blender/blenkernel/intern/blender.c +@@ -141,7 +141,8 @@ void initglobals(void) + G.charmin = 0x0000; + G.charmax = 0xffff; + +- G.f |= G_SCRIPT_AUTOEXEC; ++ G.f &= ~G_SCRIPT_AUTOEXEC; ++ G.f |= G_SCRIPT_OVERRIDE_PREF; /* Disables turning G_SCRIPT_AUTOEXEC on from user prefs */ + } + + /***/ +diff --git a/source/blender/makesrna/intern/rna_userdef.c b/source/blender/makesrna/intern/rna_userdef.c +index e9a9ddc..218b50a 100644 +--- a/source/blender/makesrna/intern/rna_userdef.c ++++ b/source/blender/makesrna/intern/rna_userdef.c +@@ -99,9 +99,17 @@ static void rna_userdef_show_manipulator_update(Main *bmain, Scene *scene, Point + + static void rna_userdef_script_autoexec_update(Main *bmain, Scene *scene, PointerRNA *ptr) + { +- UserDef *userdef = (UserDef*)ptr->data; +- if (userdef->flag & USER_SCRIPT_AUTOEXEC_DISABLE) G.f &= ~G_SCRIPT_AUTOEXEC; +- else G.f |= G_SCRIPT_AUTOEXEC; ++ if ((G.f & G_SCRIPT_OVERRIDE_PREF) == 0) { ++ /* Blender run with --enable-autoexec */ ++ UserDef *userdef = (UserDef*)ptr->data; ++ if (userdef->flag & USER_SCRIPT_AUTOEXEC_DISABLE) G.f &= ~G_SCRIPT_AUTOEXEC; ++ else G.f |= G_SCRIPT_AUTOEXEC; ++ } ++} ++ ++static int rna_userdef_script_autoexec_editable(Main *bmain, Scene *scene, PointerRNA *ptr) { ++ /* Disable "Auto Run Python Scripts" checkbox unless Blender run with --enable-autoexec */ ++ return !(G.f & G_SCRIPT_OVERRIDE_PREF); + } + + static void rna_userdef_mipmap_update(Main *bmain, Scene *scene, PointerRNA *ptr) +@@ -2505,6 +2513,8 @@ static void rna_def_userdef_system(BlenderRNA *brna) + RNA_def_property_boolean_negative_sdna(prop, NULL, "flag", USER_SCRIPT_AUTOEXEC_DISABLE); + RNA_def_property_ui_text(prop, "Auto Run Python Scripts", "Allow any .blend file to run scripts automatically (unsafe with blend files from an untrusted source)"); + RNA_def_property_update(prop, 0, "rna_userdef_script_autoexec_update"); ++ /* Disable "Auto Run Python Scripts" checkbox unless Blender run with --enable-autoexec */ ++ RNA_def_property_editable_func(prop, "rna_userdef_script_autoexec_editable"); + + prop= RNA_def_property(srna, "use_tabs_as_spaces", PROP_BOOLEAN, PROP_NONE); + RNA_def_property_boolean_negative_sdna(prop, NULL, "flag", USER_TXT_TABSTOSPACES_DISABLE); +diff --git a/source/blender/windowmanager/intern/wm_files.c b/source/blender/windowmanager/intern/wm_files.c +index f4f7af0..37a9664 100644 +--- a/source/blender/windowmanager/intern/wm_files.c ++++ b/source/blender/windowmanager/intern/wm_files.c +@@ -270,11 +270,16 @@ static void wm_init_userdef(bContext *C) + + /* set the python auto-execute setting from user prefs */ + /* enabled by default, unless explicitly enabled in the command line which overrides */ +- if((G.f & G_SCRIPT_OVERRIDE_PREF) == 0) { ++ if (! G.background && ((G.f & G_SCRIPT_OVERRIDE_PREF) == 0)) { ++ /* Blender run with --enable-autoexec */ + if ((U.flag & USER_SCRIPT_AUTOEXEC_DISABLE) == 0) G.f |= G_SCRIPT_AUTOEXEC; + else G.f &= ~G_SCRIPT_AUTOEXEC; + } + if(U.tempdir[0]) BLI_where_is_temp(btempdir, FILE_MAX, 1); ++ ++ /* Workaround to fix default of "Auto Run Python Scripts" checkbox */ ++ if ((G.f & G_SCRIPT_OVERRIDE_PREF) && !(G.f & G_SCRIPT_AUTOEXEC)) ++ U.flag |= USER_SCRIPT_AUTOEXEC_DISABLE; + } + + void WM_read_file(bContext *C, const char *name, ReportList *reports) +diff --git a/source/blender/windowmanager/intern/wm_operators.c b/source/blender/windowmanager/intern/wm_operators.c +index 28df023..a2142a5 100644 +--- a/source/blender/windowmanager/intern/wm_operators.c ++++ b/source/blender/windowmanager/intern/wm_operators.c +@@ -1471,12 +1471,13 @@ static int wm_open_mainfile_exec(bContext *C, wmOperator *op) + G.fileflags &= ~G_FILE_NO_UI; + else + G.fileflags |= G_FILE_NO_UI; +- +- if(RNA_boolean_get(op->ptr, "use_scripts")) ++ ++ /* Restrict "Trusted Source" mode to Blender in --enable-autoexec mode */ ++ if(RNA_boolean_get(op->ptr, "use_scripts") && (!(G.f & G_SCRIPT_OVERRIDE_PREF))) + G.f |= G_SCRIPT_AUTOEXEC; + else + G.f &= ~G_SCRIPT_AUTOEXEC; +- ++ + // XXX wm in context is not set correctly after WM_read_file -> crash + // do it before for now, but is this correct with multiple windows? + WM_event_add_notifier(C, NC_WINDOW, NULL); +@@ -1488,6 +1489,8 @@ static int wm_open_mainfile_exec(bContext *C, wmOperator *op) + + static void WM_OT_open_mainfile(wmOperatorType *ot) + { ++ PropertyRNA * use_scripts_checkbox = NULL; ++ + ot->name= "Open Blender File"; + ot->idname= "WM_OT_open_mainfile"; + ot->description="Open a Blender file"; +@@ -1499,7 +1502,12 @@ static void WM_OT_open_mainfile(wmOperatorType *ot) + WM_operator_properties_filesel(ot, FOLDERFILE|BLENDERFILE, FILE_BLENDER, FILE_OPENFILE, WM_FILESEL_FILEPATH); + + RNA_def_boolean(ot->srna, "load_ui", 1, "Load UI", "Load user interface setup in the .blend file"); +- RNA_def_boolean(ot->srna, "use_scripts", 1, "Trusted Source", "Allow blend file execute scripts automatically, default available from system preferences"); ++ use_scripts_checkbox = RNA_def_boolean(ot->srna, "use_scripts", ++ !!(G.f & G_SCRIPT_AUTOEXEC), "Trusted Source", ++ "Allow blend file execute scripts automatically, default available from system preferences"); ++ /* Disable "Trusted Source" checkbox unless Blender run with --enable-autoexec */ ++ if (use_scripts_checkbox && (G.f & G_SCRIPT_OVERRIDE_PREF)) ++ RNA_def_property_clear_flag(use_scripts_checkbox, PROP_EDITABLE); + } + + /* **************** link/append *************** */ +diff --git a/source/creator/creator.c b/source/creator/creator.c +index c687cc2..1da282f 100644 +--- a/source/creator/creator.c ++++ b/source/creator/creator.c +@@ -278,6 +278,7 @@ static int print_help(int UNUSED(argc), const char **UNUSED(argv), void *data) + + printf("\n"); + ++ BLI_argsPrintArgDoc(ba, "-666"); + BLI_argsPrintArgDoc(ba, "--enable-autoexec"); + BLI_argsPrintArgDoc(ba, "--disable-autoexec"); + +@@ -359,14 +360,14 @@ static int end_arguments(int UNUSED(argc), const char **UNUSED(argv), void *UNUS + static int enable_python(int UNUSED(argc), const char **UNUSED(argv), void *UNUSED(data)) + { + G.f |= G_SCRIPT_AUTOEXEC; +- G.f |= G_SCRIPT_OVERRIDE_PREF; ++ G.f &= ~G_SCRIPT_OVERRIDE_PREF; /* Enables turning G_SCRIPT_AUTOEXEC off from user prefs */ + return 0; + } + + static int disable_python(int UNUSED(argc), const char **UNUSED(argv), void *UNUSED(data)) + { + G.f &= ~G_SCRIPT_AUTOEXEC; +- G.f |= G_SCRIPT_OVERRIDE_PREF; ++ G.f |= G_SCRIPT_OVERRIDE_PREF; /* Disables turning G_SCRIPT_AUTOEXEC on from user prefs */ + return 0; + } + +@@ -1075,8 +1076,9 @@ static void setupArguments(bContext *C, bArgs *ba, SYS_SystemHandle *syshandle) + + BLI_argsAdd(ba, 1, "-v", "--version", "\n\tPrint Blender version and exit", print_version, NULL); + +- BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic python script execution (default)", enable_python, NULL); +- BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable automatic python script execution (pydrivers, pyconstraints, pynodes)", disable_python, NULL); ++ BLI_argsAdd(ba, 1, NULL, "-666", "\n\tEnable automatic python script execution (port from CVE-2009-3850 patch to Blender 2.49b)", enable_python, NULL); ++ BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic python script execution", enable_python, NULL); ++ BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable automatic python script execution (pydrivers, pyconstraints, pynodes) (default)", disable_python, NULL); + + BLI_argsAdd(ba, 1, "-b", "--background", "<file>\n\tLoad <file> in background (often used for UI-less rendering)", background_mode, NULL); + +-- +1.7.5.rc3 + |