[Bf-committers] Blender 2.5 malicious scripting

Dalai Felinto dfelinto at gmail.com
Wed Feb 24 15:42:37 CET 2010


+1 on an option at loading time to disable scripts.

In Blender 2.4xx it was perfectly possible to have this (I wrote a patch
that was disabling all py - pynodes, pyconstraints, pynumbers, ... - at load
time).
However (big however here) I myself wouldn't try to write it again to
Blender 2.5 unless I have a clear go for that (nor advice someone to do it).
Also I forgot the arguments, but in bconf 2008 Ton convinced me that this
wasn't a good idea, so I dropped it.

One option is to have it as an internal option and leave
developers/interested people to change their UI files to expose this.

Dalai
(the old patch is here:
http://projects.blender.org/tracker/?func=detail&aid=17701&group_id=9&atid=127
 )


2010/2/24 Campbell Barton <ideasman42 at gmail.com>

> @Benjamin, I think you sum this up well in your last mail, Blender
> will continue to go with option #1, (allow security hole to exist),
> rather then switch language/language implementation.
>
> @Knapp, agree security at an OS level would help.
>
> Im not suggesting we ask the user before running scripts, only that
> there is an open on loading not to run scripts in the blendfile.
>
> This isnt exactly security but at least allows you to safely load a
> blend file from some unknown source.
> - Campbell
>
> On Wed, Feb 24, 2010 at 12:20 PM, Knapp <magick.crow at gmail.com> wrote:
> > It seems quite oviouse that we need a new layer of security in all
> > OSes. We have su and user now, we need to add program. Anything
> > launched by Blender should not be able to open files made by Firefox
> > etc. This is not a problem that Blender will be able to solve but I
> > don't see asking the user to be of much use anyway. The artist I know
> > just say, " what does that mean?" and then click what ever it takes to
> > get the silly program working again. Not ideal but real. Perhaps
> > Blender should have a repository or secure scripts that people can get
> > so that we are not out downloading scripts from random places?
> > --
> > Douglas E Knapp
> >
> > Open Source Sci-Fi mmoRPG Game project.
> > http://sf-journey-creations.wikispot.org/Front_Page
> > http://code.google.com/p/perspectiveproject/
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> >
>
>
>
> --
> - Campbell
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>


More information about the Bf-committers mailing list