Julian Squires
466eb426ed
The use of wordexp(3) permits arbitrary code execution from manually-crafted glTF files. See https://github.com/syoyo/tinygltf/issues/368 for more details. In practice this shouldn't be an issue for Blender since the GlTF data isn't manually crafted but from the OpenXR runtime (a bit like a driver). But updating the library to include the fix is not a big deal anyway. Note that the warning that required the local modification is no longer present upstream since https://github.com/syoyo/tinygltf/commit/0bfcb4f49e0b149c41ba67eeb3b64f297c1637f5 Pull Request: https://projects.blender.org/blender/blender/pulls/105536
Project: TinyGLTF URL: https://github.com/syoyo/tinygltf License: MIT Upstream version: 2.8.3, 84a83d39f55d Local modifications: None