[Bf-committers] Please turn off Auto Run Python Scripts by default

Brecht Van Lommel brechtvanlommel at pandora.be
Tue Jun 4 21:38:07 CEST 2013


On Tue, Jun 4, 2013 at 7:58 PM, David Jeske <davidj at gmail.com> wrote:
> The decision at the time was that no, we do not. Also note that even
>> disabling scripts does not make Blender secure, there's dozens of
>> other ways to create malicious .blend files.
>>
>
> What are the other "dozen" ways blender could
> read/destroy/send-files-to-the-internet/install-viruses with python scripts
> disabled?

Some examples:

* Animation rendering, compositor file output node, point caches, etc
all write to disk. When set to certain paths they can overwrite
important files.
* Blend files can contain user preferences and those will be loaded
automatically.
* Keyboard shortcuts can be bound to arbitrary operators which can be
used to do pretty much anything.
* We don't generally keep up with the latest security fixes for jpg,
png, .. libraries.
* Auto Start for games.
* Specially crafted screen setup so user executes code in the python
console editor without noticing.
* Buffer overflows are easy to achieve with the current .blend file
reading code.

Scripts of course make it easier, but even without that it's still
fairly easy to do damage.

Brecht.


More information about the Bf-committers mailing list