[Bf-committers] Blender 2.5 malicious scripting
Tyler Tricker
tntricker at gmail.com
Thu Feb 25 06:43:43 CET 2010
@Benjamin
hm I didn't think about the barriers between the VM and the C(/++) abi. Btw
iron python also runs on the mono cli.. so it's not really a problem as far
as cross platform is concerned.
@Campbell
"Blender will continue to go with option #1, (allow security hole to exist),
rather then switch language/language implementation."
As far as team resources go it would probably make the most sense at this
point, but it's still something to address. Even if blender does nothing but
push the CPython team to work on security for future releases, it still a
security hole. Luckily, python isn't a popular attack vector yet.
What about checking MD5 hashes on core scripts and having a command line
option to shut down all other scripts? That way if there is a bad script, a
user still has the ability to open a file to try and extract useful data.
More information about the Bf-committers
mailing list