Prevent run of out-of-install executable in secure context.

SEC-257 | CURA-8968
2025-07-06 22:47:29 -06:00 · 2022-06-01 14:26:44 +02:00 · 2022-06-01 14:26:44 +02:00 · d35c862bb8
commit d35c862bb8
parent c33a2b66cc
1 changed files with 14 additions and 9 deletions
--- a/plugins/CuraEngineBackend/CuraEngineBackend.py
+++ b/plugins/CuraEngineBackend/CuraEngineBackend.py
@ -60,7 +60,7 @@ class CuraEngineBackend(QObject, Backend):
        executable_name = "CuraEngine"
        if Platform.isWindows():
            executable_name += ".exe"
-        default_engine_location = executable_name
+        self._default_engine_location = executable_name

        search_path = [
            os.path.abspath(os.path.dirname(sys.executable)),
@ -74,29 +74,29 @@ class CuraEngineBackend(QObject, Backend):
        for path in search_path:
            engine_path = os.path.join(path, executable_name)
            if os.path.isfile(engine_path):
-                default_engine_location = engine_path
+                self._default_engine_location = engine_path
                break

-        if Platform.isLinux() and not default_engine_location:
+        if Platform.isLinux() and not self._default_engine_location:
            if not os.getenv("PATH"):
                raise OSError("There is something wrong with your Linux installation.")
            for pathdir in cast(str, os.getenv("PATH")).split(os.pathsep):
                execpath = os.path.join(pathdir, executable_name)
                if os.path.exists(execpath):
-                    default_engine_location = execpath
+                    self._default_engine_location = execpath
                    break

        application = CuraApplication.getInstance() #type: CuraApplication
        self._multi_build_plate_model = None #type: Optional[MultiBuildPlateModel]
        self._machine_error_checker = None #type: Optional[MachineErrorChecker]

-        if not default_engine_location:
+        if not self._default_engine_location:
            raise EnvironmentError("Could not find CuraEngine")

-        Logger.log("i", "Found CuraEngine at: %s", default_engine_location)
+        Logger.log("i", "Found CuraEngine at: %s", self._default_engine_location)

-        default_engine_location = os.path.abspath(default_engine_location)
-        application.getPreferences().addPreference("backend/location", default_engine_location)
+        self._default_engine_location = os.path.abspath(self._default_engine_location)
+        application.getPreferences().addPreference("backend/location", self._default_engine_location)

        # Workaround to disable layer view processing if layer view is not active.
        self._layer_view_active = False #type: bool
@ -215,7 +215,12 @@ class CuraEngineBackend(QObject, Backend):
        This is useful for debugging and used to actually start the engine.
        :return: list of commands and args / parameters.
        """
-        command = [CuraApplication.getInstance().getPreferences().getValue("backend/location"), "connect", "127.0.0.1:{0}".format(self._port), ""]
+        from cura import ApplicationMetadata
+        if ApplicationMetadata.IsEnterpriseVersion:
+            command = [self._default_engine_location]
+        else:
+            command = [CuraApplication.getInstance().getPreferences().getValue("backend/location")]
+        command += ["connect", "127.0.0.1:{0}".format(self._port), ""]

        parser = argparse.ArgumentParser(prog = "cura", add_help = False)
        parser.add_argument("--debug", action = "store_true", default = False, help = "Turn on the debug mode by setting this option.")