[Bf-committers] Please turn off Auto Run Python Scripts by default
David Jeske
davidj at gmail.com
Wed Jun 5 07:15:18 CEST 2013
This issue would be less problematic if new versions of blender would read
preferences set from older versions. Currently in my experience all
preferences have to be re-set after each new version download. Which means
if you turn off "auto load scripts" it only stays off until the next
download.
On Tue, Jun 4, 2013 at 2:15 PM, Brecht Van Lommel <
brechtvanlommel at pandora.be> wrote:
> Regarding implementation of a popup: if it is desired, you could load
> the file with scripts disabled, and then in the info header have a
> warning and button to reload the file with scripts enabled. That's
> nicely non-modal too.
>
This seems like quite an elegant blender-esq option.
It does appear this is a vulnerability in other popular 3d modeling
tools... I believe the attack surface area of blender may be worse than
Maya or 3ds, as blender is a free download. However, it's probably
comparable to DAZ studio, which is also free and also has this
vulnerability.
http://www.coresecurity.com/content/blender-scripting-injection
http://www.coresecurity.com/content/maya-arbitrary-command-execution
http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution
http://www.coresecurity.com/content/dazstudio-scripting-injection
It might be worth adding this comparison information to the FAQ.
More information about the Bf-committers
mailing list