[Bf-committers] [Bf-blender-cvs] SVN commit: /data/svn/bf-blender [34732] trunk/blender/release/bin/ blender-thumbnailer.py: patch [#25972] blender-thumbnailer.py: GVFS support
Xavier Thomas
xavier.thomas.1980 at gmail.com
Wed Feb 9 15:34:24 CET 2011
Hi Campbell,
I would like to know if the Blender thumbnailer deactivate python scripts
inside the blend.
Thumbnailers are big security issues. A malisous .blend on a USB memory
stick could serve as infection vector on all platform. Executing some of the
py scripts inside would make it too easy.
Xavier
2011/2/9 Campbell Barton <ideasman42 at gmail.com>
> Revision: 34732
>
> http://projects.blender.org/scm/viewvc.php?view=rev&root=bf-blender&revision=34732
> Author: campbellbarton
> Date: 2011-02-09 02:09:30 +0000 (Wed, 09 Feb 2011)
> Log Message:
> -----------
> patch [#25972] blender-thumbnailer.py: GVFS support
> from Shinsuke Irie (irie) with some minor edits.
>
> Shinsuke's description from the tracker:
> ---
> I have implemented GVFS framework support of blender-thumbnailer.py which
> allows some file managers like Nautilus and Thunar to show thumbnails in
> trash or network directories. If Python's gio module is available, the
> thumbnailer uses it to access to filesystems mounted via GVFS. This change
> shouldn't affect desktop environments other than GNOME and XFCE.
>
> A function gvfs_open() in this patch is defined to solve a stupid
> incompatibility between Python file object and GIO Seekable object.
>
> On Ubuntu 10.10, I confirmed thumbnails can be generated for file://,
> trash://, sftp://, and smb://.
>
> Modified Paths:
> --------------
> trunk/blender/release/bin/blender-thumbnailer.py
>
> Modified: trunk/blender/release/bin/blender-thumbnailer.py
> ===================================================================
> --- trunk/blender/release/bin/blender-thumbnailer.py 2011-02-09 02:09:25
> UTC (rev 34731)
> +++ trunk/blender/release/bin/blender-thumbnailer.py 2011-02-09 02:09:30
> UTC (rev 34732)
> @@ -24,27 +24,49 @@
> Thumbnailer runs with python 2.6 and 3.x.
> To run automatically with nautilus:
> gconftool --type boolean --set
> /desktop/gnome/thumbnailers/application at x-blender/enable true
> - gconftool --type string --set
> /desktop/gnome/thumbnailers/application at x-blender/command
> "blender-thumbnailer.py %i %o"
> + gconftool --type string --set
> /desktop/gnome/thumbnailers/application at x-blender/command
> "blender-thumbnailer.py %u %o"
> """
>
> import struct
>
>
> +def open_wrapper_get():
> + """ wrap OS spesific read functionality here, fallback to 'open()'
> + """
> +
> + def open_gio(path, mode):
> + g_file = gio.File(path).read()
> + g_file.orig_seek = g_file.seek
> +
> + def new_seek(offset, whence=0):
> + return g_file.orig_seek(offset, [1, 0, 2][whence])
> +
> + g_file.seek = new_seek
> + return g_file
> +
> + try:
> + import gio
> + return open_gio
> + except ImportError:
> + return open
> +
> +
> def blend_extract_thumb(path):
> import os
> + open_wrapper = open_wrapper_get()
>
> # def MAKE_ID(tag): ord(tag[0])<<24 | ord(tag[1])<<16 | ord(tag[2])<<8
> | ord(tag[3])
> REND = 1145980242 # MAKE_ID(b'REND')
> TEST = 1414743380 # MAKE_ID(b'TEST')
>
> - blendfile = open(path, 'rb')
> + blendfile = open_wrapper(path, 'rb')
>
> head = blendfile.read(12)
>
> if head[0:2] == b'\x1f\x8b': # gzip magic
> import gzip
> blendfile.close()
> - blendfile = gzip.open(path, 'rb')
> + blendfile = gzip.GzipFile('', 'rb', 0, open_wrapper(path, 'rb'))
> head = blendfile.read(12)
>
> if not head.startswith(b'BLENDER'):
>
> _______________________________________________
> Bf-blender-cvs mailing list
> Bf-blender-cvs at blender.org
> http://lists.blender.org/mailman/listinfo/bf-blender-cvs
>
More information about the Bf-committers
mailing list