Merge pull request #7179 from Ultimaker/CURA-7081_prevent_sys_path_relative

Remove working directory from sys.path
2025-07-24 15:13:56 -06:00 · 2020-03-03 10:34:34 +01:00 · 2020-03-03 10:34:34 +01:00 · d9509d25ba
commit d9509d25ba
parent 0e564abbea bbb704ff24
1 changed files with 10 additions and 2 deletions
--- a/cura_app.py
+++ b/cura_app.py
@ -1,12 +1,20 @@
 #!/usr/bin/env python3

-# Copyright (c) 2019 Ultimaker B.V.
+# Copyright (c) 2020 Ultimaker B.V.
 # Cura is released under the terms of the LGPLv3 or higher.

+# Remove the working directory from sys.path.
+# This fixes a security issue where Cura could import Python packages from the
+# current working directory, and therefore be made to execute locally installed
+# code (e.g. in the user's home directory where AppImages by default run from).
+# See issue CURA-7081.
+import sys
+if "" in sys.path:
+    sys.path.remove("")
+
 import argparse
 import faulthandler
 import os
-import sys

 # Workaround for a race condition on certain systems where there
 # is a race condition between Arcus and PyQt. Importing Arcus