[Bf-committers] Blender 2.42 Web Browser Plugin

Erwin Coumans erwin at erwincoumans.com
Sat Jul 8 18:54:33 CEST 2006


Hi Stephen Swaney,

Did you just 'speculate' there is no sandbox, or did you verify that? Did I 
miss something?

I had to add code to enable the new PhysicsConstraints module, because it 
didn't import, due to that sandbox.
Only GameLogic,GameKeys,PhysicsConstraints,Rasterizer can be imported:

See BlenderPlayerCtl.cpp:
http://projects.blender.org/viewcvs/viewcvs.cgi/blender/source/gameengine/GamePlayer/ActiveX/BlenderPlayerCtl.cpp.diff?r1=1.8&r2=1.9&cvsroot=bf-blender

PyObject* m_dictionaryobject = initGamePlayerPythonScripting("Ketsji", 
psl_Highest);

This calls:

PyObject* initGamePlayerPythonScripting(const STR_String& progname, 
TPythonSecurityLevel level)
{
....
 setSandbox(level); (which is psl_Highest)
}

void setSandbox(TPythonSecurityLevel level)
{
    PyObject *m = PyImport_AddModule("__builtin__");
    PyObject *d = PyModule_GetDict(m);
 PyObject *meth = PyCFunction_New(meth_open, NULL);

 switch (level) {
 case psl_Highest:
   PyDict_SetItemString(d, "open", meth); (which disallows opening risky 
modules)
   meth = PyCFunction_New(meth_import, NULL);
   PyDict_SetItemString(d, "__import__", meth);
  break;

}

which

PyObject *KXpy_import(PyObject *self, PyObject *args)
{
 char *name;
 PyObject *globals = NULL;
 PyObject *locals = NULL;
 PyObject *fromlist = NULL;
 PyObject *l, *m, *n;

 if (!PyArg_ParseTuple(args, "s|OOO:m_import",
         &name, &globals, &locals, &fromlist))
     return NULL;

 /* check for builtin modules */
 m = PyImport_AddModule("sys");
 l = PyObject_GetAttrString(m, "builtin_module_names");
 n = PyString_FromString(name);

 if (PySequence_Contains(l, n)) {
  return PyImport_ImportModuleEx(name, globals, locals, fromlist);
 }

 /* quick hack for GamePython modules
  TODO: register builtin modules properly by ExtendInittab */
 if (!strcmp(name, "GameLogic") || !strcmp(name, "GameKeys") || 
!strcmp(name, "PhysicsConstraints") ||
  !strcmp(name, "Rasterizer")) {
  return PyImport_ImportModuleEx(name, globals, locals, fromlist);
 }

 PyErr_Format(PyExc_ImportError,
   "Import of external Module %.20s not allowed.", name);
 return NULL;

}

Thanks,
Erwin


----- Original Message ----- 
From: "Stephen Swaney" <sswaney at centurytel.net>
To: "bf-blender developers" <bf-committers at projects.blender.org>
Sent: Friday, July 07, 2006 8:36 AM
Subject: Re: [Bf-committers] Blender 2.42 Web Browser Plugin


> On Thu, Jul 06, 2006 at 05:51:14PM -0400, erwin at erwincoumans.com wrote:
>
>> The first steps to a working Blender 2.42 Web Browser Plugin are done.
>>
>> http://www.continuousphysics.com/Bullet/phpBB2/viewtopic.php?t=406
>>
>> This is Windows, ActiveX. It is reported to work under Internet Explorer,
>> and Firefox (using 'render as Internet Explorer 'ActiveX').
>
>
> Please correct me if I am missing something here, but without some sort
> of sandboxing mechanism we are are creating a huge security hole.
>
> Releasing something like this does not seem like a good idea.
>
>
> (note: sorry it this is a dup.  it was sent last night while
> the servers were wonky)
> -- 
> Stephen Swaney
> sswaney at centurytel.net
>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at projects.blender.org
> http://projects.blender.org/mailman/listinfo/bf-committers
> 




More information about the Bf-committers mailing list