[Bf-committers] Please turn off Auto Run Python Scripts by default

Fri Jun 7 15:15:08 CEST 2013

If you want security by default then my suggestion is to just disable
scripts by default on load. If the .blend file contains a script the
info header can show a warning and button to reload the .blend file
with scripts enabled.

Realistically I think Python and the Blender Python API are just
insecure, and that securing them is not feasible. We could however
make it difficult enough to do this that only an expert could make
malicious .blend files. That does mean we need to fork Python, create
a sandbox implementation for Python 3.0, and audit the entire API for
security issues, and then create a system where we make a distinction
between secure and insecure scripts (as the latter will always be
needed for some cases). I expect that would take 6-12 months of
development time, along with continued work maintaining our own Python
fork and keeping the BPY API secure.

Switching to another language takes even more development time of
course, and Python is basically the standard scripting language for
3D. Users often to own scripting, especially at small studios, and so
I thinking saying users come before scripters in this case. Switching
to a language like LUA which does not a similar ecosystem around the
language would definitely affect users.

On Fri, Jun 7, 2013 at 1:12 PM, Ton Roosendaal <ton at blender.org> wrote:
> Hi all Pythoneers,
>
> Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first.
>
> If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA.
>
> Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit.
>
> -Ton-
>
> --------------------------------------------------------
> Ton Roosendaal  -  ton at blender.org   -   www.blender.org
> Chairman Blender Foundation - Producer Blender Institute
> Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands
>
>
>
> On 7 Jun, 2013, at 12:08, Domino Marama wrote:
>
>> On 06/07/2013 10:21 AM, Ton Roosendaal wrote:
>>> Hi Campbell,
>>>
>>> I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users?
>>>
>>> Look for example at the standard UI scripts. Apart from 1 case, there's no "import os" anywhere. Same goes for essential scripts riggers or animators use.
>>>
>>> So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run.
>>>
>>> Something like this would make a "trusted source" option on file loading more useful. Right now, unticking "trusted source" is almost equivalent to "disable useful features".
>>>
>>>
>>>>> oh = 'SOS HELP!'
>>>>> ohoh = __import__(oh[1:3].lower())
>>>>> ohoh
>> <module 'os' from
>> '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py'>
>>
>> On Linux distros where system Python is used, I doubt anything can be
>> done to prevent the import function from being used.
>>
>> Load Blender with a console, check there's the startup message on it.
>> Then paste this into say the frame number field..
>>
>> eval("__import__('os').system('clear')", {})
>>
>> Now check console again.. Just checking scripts for imports isn't enough.
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers