[Bf-committers] Please turn off Auto Run Python Scripts by default

[Campbell Barton]

On Wed, Jun 5, 2013 at 3:15 PM, David Jeske <davidj at gmail.com> wrote:
> This issue would be less problematic if new versions of blender would read
> preferences set from older versions. Currently in my experience all
> preferences have to be re-set after each new version download. Which means
> if you turn off "auto load scripts" it only stays off until the next
> download.

When you load a new version of blender the splash screen should show
the option "Copy Previous Settings", Though its limited to updating
from the previous release.

Though its not foolproof since you could install blender then
immediately load an untrusted blend file before you have a chance to
restore preferences.

>
> On Tue, Jun 4, 2013 at 2:15 PM, Brecht Van Lommel <
> brechtvanlommel at pandora.be> wrote:
>
>> Regarding implementation of a popup: if it is desired, you could load
>> the file with scripts disabled, and then in the info header have a
>> warning and button to reload the file with scripts enabled. That's
>> nicely non-modal too.
>>
>
> This seems like quite an elegant blender-esq option.
>
> It does appear this is a vulnerability in other popular 3d modeling
> tools... I believe the attack surface area of blender may be worse than
> Maya or 3ds, as blender is a free download. However, it's probably
> comparable to DAZ studio, which is also free and also has this
> vulnerability.
>
> http://www.coresecurity.com/content/blender-scripting-injection
> http://www.coresecurity.com/content/maya-arbitrary-command-execution
> http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution
> http://www.coresecurity.com/content/dazstudio-scripting-injection
>
> It might be worth adding this comparison information to the FAQ.
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers



-- 
- Campbell