[Bf-committers] Please turn off Auto Run Python Scripts by default

Gaia gaia.clary at machinimatrix.org
Tue Jun 4 15:37:45 CEST 2013 

In "User Preferences -> Files" i found the option "Auto Run Python Scripts"
I have disabled this option in my blender setup. However i also like your
idea to have the additional option:

- Ask user on load (when Autorun is disabled in user preferences)

Furthermore it would be nice if i where able to load a blend file
with autorun initially off, but later allow to "enable autorun" after
i have inspected the included scripts, and found them trustworthy...



On 04.06.2013 15:23, Yu Asakusa wrote:
> Thank you for the reply, and especially for the pointer to the
> previous discussion in April and May 2010.  I was not aware of it.
>
> I think I took a look at all the messages in that thread in the
> archive.  Now I understand it is unacceptable to some people to
> disable autoruns by default.  So I will change my suggestion to the
> following:  Please add an option to confirm before Blender runs Python
> scripts automatically, and turn on this new option by default.
> Probably this option should be ignored in the batch mode.
>
> I tried to find this suggestion in the past thread, but I could not
> find it.  Excuse me if this was already suggested and rejected for
> some reason and I overlooked it, but in that case I am curious what
> the reason for rejection was.
>
> On Tue, Jun 4, 2013 at 8:15 AM, Brecht Van Lommel
> <brechtvanlommel at pandora.be> wrote:
>> There was a decision to turn autorun on even if it causes potential
>> security issues, what it comes down to is that we can't really secure
>> python scripts, but they are critical for many artists worksflows.
>>
>> For a long discussion on the topic see here:
>> http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html
>>
>> On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa <yu.asakusa at gmail.com> wrote:
>>> Hello,
>>>
>>> Currently “Auto Run Python Scripts” in the File tab in the user
>>> preferences (UserPreferencesSystem.use_scripts_auto_execute in Python)
>>> is turned on by default.  Please turn it off by default.
>>>
>>> The current default setting means that when users open a blend file,
>>> Blender runs any Python scripts in the file as long as they are marked
>>> for auto-run.  Python scripts can read/write local files and do other
>>> malicious things.  Therefore, if users would like to open an untrusted
>>> blend file, they must explicitly disable auto-run by either turning
>>> off “Auto Run Python Scripts” in the user preferences or turning off
>>> the “Trusted Source” checkbox in the File Browser window.  (See also
>>> my post on Google+
>>> <https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6>.)
>>>
>>> I do not think many users know it is dangerous to open an untrusted
>>> blend file with the default settings in Blender.  It is different from
>>> the common expectation for file-editing programs such as word
>>> processors: opening an untrusted file in file-editing programs is
>>> usually not considered to be a security risk.  In other words, in
>>> file-editing programs, it is program’s responsibility to prevent
>>> attacks even if users open malicious files.  Depending on the point of
>>> view, the current default behavior may be considered as a security
>>> vulnerability in Blender because of the mismatch between user’s
>>> expectation and the actual behavior.
>>>
>>> Regards,
>>> Yu
>>> _______________________________________________
>>> Bf-committers mailing list
>>> Bf-committers at blender.org
>>> http://lists.blender.org/mailman/listinfo/bf-committers
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers

More information about the Bf-committers mailing list