[Bf-committers] Python sandbox
Rick Yorgason
rick at firefang.com
Thu Mar 25 05:48:09 CET 2010
I've been following this discussion for a while. Incidentally, I just
read a little blurb from Herb Sutter's blog regarding security:
http://herbsutter.com/2010/03/22/links-i-enjoyed-reading-this-week-2/
The moral of the story is that the danger of attacks is directly
proportional to the popularity of your product, so every time you work
to make Blender more popular, you're also raising the danger of attacks.
Clearly, something has to be done sooner or later, unless you don't
expect Blender to get more popular.
That isn't to say that something has to be done *today*, but something
definitely has to be done.
One particularly nasty attack I can think of is to write a Blender
virus: when you open a .blend file and run its scripts (either because
scripts are enabled by default, or you didn't realize one of the scripts
was a virus; remember, some of the scripts might actually be legit) it
infects your Blender install, and subsequently infects all your personal
.blend files, all without your knowledge. Then of course, when you send
your .blend files to somebody that trusts you, they don't even question
the scripts, and the virus spreads. And this virus can do anything,
like silently log your keystrokes, or delete all your files on the 1st
of April.
The point has been brought up that a lot of Blender is run by Python
scripts, but that's okay. The scripts that ship with Blender don't need
to be run in a sandbox; only the scripts in a .blend file need to.
After all, if the scripts that Blender ships have been compromised, then
your machine has already been owned.
Once you have a sandbox set up for you .blend scripts, you need to
figure out ways to allow certain things that wouldn't normally be
allowed in a sandbox, such as file access. These aren't impossible
problems, but you might have to be creative (e.g. you can only open
files via a file selection widget, and that widget can't be populated
programmatically).
That would involve deprecating your API (again) and is a lot of work,
but it has to be done eventually. You don't have to do it today, but
it's worth thinking about it today.
Finally, somebody in this thread said that everybody nowadays keeps
adequate backups. I'd really like to live in that fantasy world!
-Rick-
More information about the Bf-committers
mailing list