[Bf-committers] Blender 2.5 malicious scripting

[Benjamin Tolputt]

Tyler Tricker wrote:
> What about Jython or Ironpython as a base platform? both have the ability to
> lock down the VM.
>   

Given both the cross-platform nature of Blender (ruling out IronPython)
and the fact that Blender uses the C-API of Python quite heavily (ruling
out Jython, even were a JVM requirement acceptable) - anything but a
version of CPython (patched or otherwise) is simply outside the scope of
this or feasible future developments.

Simply put - the choice of Python means, until some theoretical "safe"
version of CPython in the future, that Blender's security will be
limited to warnings & user intervention mechanisms. Proper sandboxing is
bot possible with CPython and, until it is, that only leaves "Microsoft
Office" style security (i.e. let the user know that there are
macros/scripts in the file and only allow them to run should the user
agree to it on load).

> "Like if there are any scripts, warn the user and ask if the scripts should
> be allowed for the session or permanently."
>
> I think this would get really annoying to have to confirm every script.
>   

I don't think it need be done for "every script", only a vague "There
are scripts in this blend. Do you trust the blend to run scripts on your
machine" message. It was the security option Microsoft used for their
office suite (which is deployed far wider than Blender, in places meant
to have more security than the average graphic studio, and is on record
for actually widely spreading macro virii).

It is not "real security" by any measure, but it is something we need to
settle for given the development constraints.

-- 
Regards,

Benjamin Tolputt
Analyst Programmer