[Bf-committers] Please turn off Auto Run Python Scripts by default
Campbell Barton
ideasman42 at gmail.com
Tue Jun 4 20:44:55 CEST 2013
On Wed, Jun 5, 2013 at 3:58 AM, David Jeske <davidj at gmail.com> wrote:
> On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel <
> brechtvanlommel at pandora.be> wrote:
>
>> Here's another discussion where the popup idea comes up:
>> http://lists.blender.org/pipermail/bf-committers/2010-March/026573.html
>>
>> It's a tradeoff, do we really want to degrade usability for this?
>
>
> I don't think this is a question of degrading expert blender usability.
> It's a question of protecting a broader less expert userbase from malicious
> blend files.
>
> I think your previous post is an excellent case for not SILENTLY disabling
> scripts by default. [1] However, this is not the only option. For nearly a
> decade MS-Word has been using a challenge dialog before running scripts. Is
> there ideological opposition to default to showing a dialog before
> processing python scripts in a blend file?
Blender doesn't have these kinds of dialogs available (ones that block
everything and wait for input), also checking if a script will run
isn't totally trivial - any driver can run a script for example.
So yes - both are solvable, but its not easily supported without some
extra work - probably this is why someone hasn't written a patch
already.
> The decision at the time was that no, we do not. Also note that even
>> disabling scripts does not make Blender secure, there's dozens of
>> other ways to create malicious .blend files.
>>
>
> What are the other "dozen" ways blender could
> read/destroy/send-files-to-the-internet/install-viruses with python scripts
> disabled?
I would assume these other ways would have to make use of hand crafted
blend files that cause buffer overruns to run malicious executable
code.
> [1] http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
--
- Campbell
More information about the Bf-committers
mailing list