[Bf-committers] Python sandbox
Campbell Barton
ideasman42 at gmail.com
Wed Mar 17 11:02:32 CET 2010
On Wed, Mar 17, 2010 at 9:50 AM, Ton Roosendaal <ton at blender.org> wrote:
> Hi all,
>
> In past discussions I had the impression that Blender's Python cannot
> be simply sandboxed because python.org doesn't cooperate with it.
> Second reason was that Blender apparently is one of the few apps
> embedding Python on such a level.
>
> Philipp Guehring sent me these links and a suggestion:
>
> http://sayspy.blogspot.com/2007/05/i-have-finished-securing-python.html
This would mean we would have to distribute blender with a totally
limited python, exporters, importers wouldnt work right. it also
removes functions we're relying on for some 2.5 internals.
> http://people.cs.ubc.ca/~drifty/papers/python_security.pdf
fairly easy to work around, edited namespace can be circumvented by...
f = [ t for t in (1).__class__.__mro__[-1].__subclasses__() if
t.__name__ == 'file'][0]('/some_file.txt', 'w')
> http://svn.python.org/view/python/branches/bcannon-objcap/
apparently proof of concept sandbox branch of python, cant get info on
this easily, looks to be 2 years old.
> http://codespeak.net/pypy/dist/pypy/doc/sandbox.html
pypy cant be used since we rely on C/Python
> http://lackingrhoticity.blogspot.com/2009/06/python-standard-library-in-native.html
Also cant be used because we need C/Python API
>
> Perhaps a Google SoC project to secure Blender's Python could help here.
>
> -Ton-
I'm not interested in this for a few reasons...
* Its a lot of work, even python guys have trouble to do this well and
there are way more python developers then blenders.
* If we had a totally sandboxed python this would limit scripts to the
point where scripts would not be able to do basic tasks (exporting,
writing files etc).
* If people start running a sandboxed blender this is a mode many
scripts need to support, a little like we had with 2.4x where we would
have to check if a fill python was installed, complain if it wasn't,
tell them to install etc.
if this goes ahead Id at least make sure it could be disabled at
compile time, but I really prefer it doesn't.
More information about the Bf-committers
mailing list