[Bf-committers] Please turn off Auto Run Python Scripts by default

Brecht Van Lommel brechtvanlommel at pandora.be
Tue Jun 4 14:15:09 CEST 2013 

There was a decision to turn autorun on even if it causes potential
security issues, what it comes down to is that we can't really secure
python scripts, but they are critical for many artists worksflows.

For a long discussion on the topic see here:
http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html

On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa <yu.asakusa at gmail.com> wrote:
> Hello,
>
> Currently “Auto Run Python Scripts” in the File tab in the user
> preferences (UserPreferencesSystem.use_scripts_auto_execute in Python)
> is turned on by default.  Please turn it off by default.
>
> The current default setting means that when users open a blend file,
> Blender runs any Python scripts in the file as long as they are marked
> for auto-run.  Python scripts can read/write local files and do other
> malicious things.  Therefore, if users would like to open an untrusted
> blend file, they must explicitly disable auto-run by either turning
> off “Auto Run Python Scripts” in the user preferences or turning off
> the “Trusted Source” checkbox in the File Browser window.  (See also
> my post on Google+
> <https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6>.)
>
> I do not think many users know it is dangerous to open an untrusted
> blend file with the default settings in Blender.  It is different from
> the common expectation for file-editing programs such as word
> processors: opening an untrusted file in file-editing programs is
> usually not considered to be a security risk.  In other words, in
> file-editing programs, it is program’s responsibility to prevent
> attacks even if users open malicious files.  Depending on the point of
> view, the current default behavior may be considered as a security
> vulnerability in Blender because of the mismatch between user’s
> expectation and the actual behavior.
>
> Regards,
> Yu
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers

More information about the Bf-committers mailing list