[Bf-committers] Blender 2.5 malicious scripting

Tyler Tricker tntricker at gmail.com
Tue Feb 23 17:48:14 CET 2010

"A python threaded timer is not killed when new file is loaded.
could change new loaded file without the knowledge of the user. the timer
is only killed when quitting blender."

>From a security standpoint this is a big problem. If a malicious script has
the ability to attach itself to any other loaded blend file (or worse a
trusted script), it would be impossible to quarantine without losing
anywhere from one file to the entire project.

What about Jython or Ironpython as a base platform? both have the ability to
lock down the VM.

"Like if there are any scripts, warn the user and ask if the scripts should
be allowed for the session or permanently."

I think this would get really annoying to have to confirm every script.

More information about the Bf-committers mailing list