[Bf-committers] Blender 2.5 malicious scripting
Erwin Coumans
erwin.coumans at gmail.com
Thu Feb 25 15:26:29 CET 2010
By default, the best is to disable automatic execution of scripts, I think,
unless the user enables such option (startup auto-execution-script)
Just make it an easy to enable option (with a warning), but leave it off by
default.
Thanks,
Erwin
On 25 February 2010 03:51, Campbell Barton <ideasman42 at gmail.com> wrote:
> @Tyler, from conversations with python devs, the request of sandboxing
> gets the response "dont even think about it!",
> I'm not especially interested in security to the point where Id try
> motivate others, but am not against someone working on it either.
>
> so now this seems to boil down to "who wants to write a patch" :),
> probably should be a command line argument like Dali wrote for 2.4x as
> well as an option on load.
> There are stull some issues still like, what happens when you double
> click on a file to open so maybe something like this.
>
> - user default for the startup auto-execution-script value.
> - global flag for auto script execution that is reset on loading blend
> files and can be set on file load.
> would look something like G.flag & G_PY_AUTO_EXEC, U.py_auto_exec
> which could be accessed anywhere.
>
> again, I think hashing scripts would be hard to manage well, not to
> mention hashing every pydriver (can be 100's) and having a place to
> store this, varify etc.
>
> On Thu, Feb 25, 2010 at 9:26 AM, Stefan Langer
> <mailtolanger at googlemail.com> wrote:
> > 2010/2/25 Tyler Tricker <tntricker at gmail.com>
> >
> >
> >> [...] What about checking MD5 hashes on core scripts and having a
> command
> >> line
> >> option to shut down all other scripts? That way if there is a bad
> script, a
> >> user still has the ability to open a file to try and extract useful
> data.
> >> [...]
> >>
> > Use SHA cause MD5 is broken and can be easily faked now a days.
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> >
>
>
>
> --
> - Campbell
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>
More information about the Bf-committers
mailing list