[Bf-committers] Please turn off Auto Run Python Scripts by default
Jace Priester
jacepriester at threespaceimaging.com
Wed Jun 5 21:21:42 CEST 2013
Another +1 for not changing the OS module, or anything else for that
matter. I use lots of python system-related modules, including OS, in my
import/export/interop pipeline. If it is broken I will most likely not be
using blender anymore (seriously).
Additionally, I don't believe security in blend files is an issue anyway.
If you have accepted a file from an untrusted source and opened it, YOU are
the security risk, not the program you opened it with. AVIs, DOCs, and
various other data files have had and still do have security risks
associated with them (whether internal scripts are allowed to run or not).
This problem is certainly not unique to blend files, and certainly not due
solely to the fact that blender allows python scripts to run. This is a
non-issue.
The "Trusted Source" checkbox is a nice feature, I guess, but realistically
I've never used it because I want all blends to open and work as intended
by the creator. If I think it might be a malicious file, I don't accept it
in the first place. That's where security starts, and ultimately ends.
On Wed, Jun 5, 2013 at 10:55 AM, Campbell Barton <ideasman42 at gmail.com>wrote:
> Hacked os module isn't really an option, Python uses this for its
> internal operations all over the place - a lot of python modules are
> written in Python so these would break.
>
> In python3.3 module dir...
> find -name "*.py" | xargs grep "\bos\." | wc -l
> --> 7833
>
> Attempting to let Python do its own thing but sandbox Blender scripts
> also cant work well,
>
> In the BGE we did have some basic security (disable some modules &
> open()... iirc),
> But this is trivially easy to workaround - as in one line of python to
> get access to the real modules/functions.
>
> The only way I could see this working would be to do this on a libc
> level - replacing pythons own calls to open() / fopen() etc. But this
> also gives high risk of breaking Python its self.
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>
--
--------------------------------------------------------------------------
Jace Priester
Threespace Imaging
jacepriester at threespaceimaging.com
559-284-0904
--------------------------------------------------------------------------
More information about the Bf-committers
mailing list