The use of wordexp(3) permits arbitrary code execution from manually-crafted
glTF files. See https://github.com/syoyo/tinygltf/issues/368 for more details.
In practice this shouldn't be an issue for Blender since the GlTF data isn't
manually crafted but from the OpenXR runtime (a bit like a driver). But
updating the library to include the fix is not a big deal anyway.
Note that the warning that required the local modification is no longer present upstream since
0bfcb4f49e
Pull Request: https://projects.blender.org/blender/blender/pulls/105536
The XR_MSFT_controller_model OpenXR extension provides a glTF
controller model that can be displayed to users during a VR session.
There are plans to support this in D10948, which will greatly improve
VR immersion when using a compatible OpenXR runtime.
TinyGLTF (https://github.com/syoyo/tinygltf) was agreed upon as a
simple and sufficient solution for loading this glTF controller model,
which will be performed at the GHOST abstraction layer. Although by
default it has two additional dependencies, stb and json, stb can be
excluded by defining TINYGLTF_NO_STB_IMAGE and
TINYGLTF_NO_STB_IMAGE_WRITE whereas json will be added as a separate
extern lib in D12567.
Reviewed By: Severin
Differential Revision: https://developer.blender.org/D12344