[Bf-committers] Please turn off Auto Run Python Scripts by default

Thomas Dinges blender at dingto.org
Tue Jun 4 15:34:34 CEST 2013


Hi,
as someone previously said, you can start Blender with a parameter (-Y), 
to not start scripts automatically, so there is already an option. You 
can set that to your blender.exe or so, then you don't have to manually 
set it on each startup.
Having a Confirmation popup "Do you really want to run the script?" is 
not a good idea, neither as a preference or not.

Thomas

Am 04.06.2013 15:23, schrieb Yu Asakusa:
> Thank you for the reply, and especially for the pointer to the
> previous discussion in April and May 2010.  I was not aware of it.
>
> I think I took a look at all the messages in that thread in the
> archive.  Now I understand it is unacceptable to some people to
> disable autoruns by default.  So I will change my suggestion to the
> following:  Please add an option to confirm before Blender runs Python
> scripts automatically, and turn on this new option by default.
> Probably this option should be ignored in the batch mode.
>
> I tried to find this suggestion in the past thread, but I could not
> find it.  Excuse me if this was already suggested and rejected for
> some reason and I overlooked it, but in that case I am curious what
> the reason for rejection was.
>
> On Tue, Jun 4, 2013 at 8:15 AM, Brecht Van Lommel
> <brechtvanlommel at pandora.be> wrote:
>> There was a decision to turn autorun on even if it causes potential
>> security issues, what it comes down to is that we can't really secure
>> python scripts, but they are critical for many artists worksflows.
>>
>> For a long discussion on the topic see here:
>> http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html
>>
>> On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa <yu.asakusa at gmail.com> wrote:
>>> Hello,
>>>
>>> Currently “Auto Run Python Scripts” in the File tab in the user
>>> preferences (UserPreferencesSystem.use_scripts_auto_execute in Python)
>>> is turned on by default.  Please turn it off by default.
>>>
>>> The current default setting means that when users open a blend file,
>>> Blender runs any Python scripts in the file as long as they are marked
>>> for auto-run.  Python scripts can read/write local files and do other
>>> malicious things.  Therefore, if users would like to open an untrusted
>>> blend file, they must explicitly disable auto-run by either turning
>>> off “Auto Run Python Scripts” in the user preferences or turning off
>>> the “Trusted Source” checkbox in the File Browser window.  (See also
>>> my post on Google+
>>> <https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6>.)
>>>
>>> I do not think many users know it is dangerous to open an untrusted
>>> blend file with the default settings in Blender.  It is different from
>>> the common expectation for file-editing programs such as word
>>> processors: opening an untrusted file in file-editing programs is
>>> usually not considered to be a security risk.  In other words, in
>>> file-editing programs, it is program’s responsibility to prevent
>>> attacks even if users open malicious files.  Depending on the point of
>>> view, the current default behavior may be considered as a security
>>> vulnerability in Blender because of the mismatch between user’s
>>> expectation and the actual behavior.
>>>
>>> Regards,
>>> Yu
>>> _______________________________________________
>>> Bf-committers mailing list
>>> Bf-committers at blender.org
>>> http://lists.blender.org/mailman/listinfo/bf-committers
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers


-- 
Thomas Dinges
Blender Developer, Artist and Musician

www.dingto.org



More information about the Bf-committers mailing list