[Bf-committers] Web Plugin :: Python Sandbox

Marcelo Coraça de Freitas mfreitas at ydeasolutions.com.br
Thu Aug 28 19:37:33 CEST 2008 

Em Qui, 2008-08-28 às 18:45 +0200, Mathias Panzenböck escreveu:

> I'm no Python guru. I write a lot of very small Python scripts, but do no
> embedding. However I still want to point out the following:
> What not sandboxed things are possible through the blender API?
> E.g. you could Load a Textfile using Blender.Text.Load.
> Using this you could spy on a user. And with the urlib or webbrowser modules
> you could send back this informations (e.g. using a querystring). In a sandbox
> you have to forbid network access anyway. I don't know if access to Blender.Text
> would make sense from within a game anyway, so you could forbid it.



Access to the entire Blender package is already forbiden from within the
game engine. So, that's not really an issue for now.


> I don't know, is it somehow possible to write a file using blenders API? (e.g.
> through unpacked data) If so, you have to forbid that, too. What's up with
> library access to other .blend files (e.g. like /tmp/quit.blend)?



I'm not sure, but as the modules exported to the Python scripting aren't
focused on creating files I don't think it's possible now.


> Anyway, to call the sandbox done you should review all modules that are
> accessible from within it. Some modules in the standard lib have problems,
> where they are exporting modules they have imported (e.g. the forgot to use
> __all__) so it might be possible to import untrusted modules through some
> trusted ones.



I see. That might cause some problems. Only Python gurus and lots of
testing can tell us that and that will be forever a source of issues, as
python is evolving and new packages are being written while sandboxing
is not one of their priorities.



> I think this could be interesting for other projects, too. It would be great
> if you would document what need to be done to make a sandboxed python in the
> wiki.



Yeah! Agreed. Maybe I'll dedicate some of my time on this task - even
thought I'm not a python neither a blender expert.


Regards,

Ydea Desenvolvimento de Software LTDA.

Marcelo Coraça de Freitas 
Gerente de TI 

Ydea Desenvolvimento de Software LTDA. 
Av. Adolfo Pinheiro, 2338 - Alto da Boa Vista 
CEP.:04734-004 - São Paulo - SP 
Tel.: 55-11-5523-0333 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.blender.org/pipermail/bf-committers/attachments/20080828/5e7b45da/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ydea.jpg
Type: image/jpeg
Size: 3721 bytes
Desc: not available
Url : http://lists.blender.org/pipermail/bf-committers/attachments/20080828/5e7b45da/attachment.jpg

More information about the Bf-committers mailing list