[Bf-committers] Please turn off Auto Run Python Scripts by default

Campbell Barton ideasman42 at gmail.com
Tue Jun 4 22:02:16 CEST 2013


On Wed, Jun 5, 2013 at 5:38 AM, Brecht Van Lommel
<brechtvanlommel at pandora.be> wrote:
> On Tue, Jun 4, 2013 at 7:58 PM, David Jeske <davidj at gmail.com> wrote:
>> The decision at the time was that no, we do not. Also note that even
>>> disabling scripts does not make Blender secure, there's dozens of
>>> other ways to create malicious .blend files.
>>>
>>
>> What are the other "dozen" ways blender could
>> read/destroy/send-files-to-the-internet/install-viruses with python scripts
>> disabled?
>
> Some examples:
>
> * Animation rendering, compositor file output node, point caches, etc
> all write to disk. When set to certain paths they can overwrite
> important files.
> * Blend files can contain user preferences and those will be loaded
> automatically.
> * Keyboard shortcuts can be bound to arbitrary operators which can be
> used to do pretty much anything.
> * We don't generally keep up with the latest security fixes for jpg,
> png, .. libraries.
> * Auto Start for games.
> * Specially crafted screen setup so user executes code in the python
> console editor without noticing.
> * Buffer overflows are easy to achieve with the current .blend file
> reading code.
>
> Scripts of course make it easier, but even without that it's still
> fairly easy to do damage.
>
> Brecht.

Checked over these items, and from what I can tell, disabling `Trusted
Source` on load still works well to ensure arbitrary scripts contained
within the blend file don't run - BGE autostart also respects this
option.

Even tricking user into using the python console would require some
user interaction.

Loading user preferences is a bit of a worry, but even in this case I
couldn't get a script to auto-execute on startup since it doesn't save
drivers/text to that file.
However if the user assumes running scripts is disabled in the
preferences, a blend file manages to enable this, then they load a
second blend --- it could be used to trick the user into running
scripts still.

And of course with buffer overflows all bets are off,
but this is also a lot more involved then simply adding a python
script to a blend file and telling it to run which is the case we
wanted `Trusted Source` option to deal with.

-- 
- Campbell


More information about the Bf-committers mailing list