[Bf-committers] Please turn off Auto Run Python Scripts by default

Ton Roosendaal ton at blender.org
Fri Jun 7 16:02:23 CEST 2013 

Hi,

> If you want security by default then my suggestion is to just disable
> scripts by default on load. If the .blend file contains a script the
> info header can show a warning and button to reload the .blend file
> with scripts enabled.

Sounds OK - I also need to know how this works for add-ons then. If our standard is to have scripts require this registration as add-on first, we have a built-in security as well. Activate once, then use.

> Realistically I think Python and the Blender Python API are just
> insecure, and that securing them is not feasible. We could however
> make it difficult enough to do this that only an expert could make
> malicious .blend files. That does mean we need to fork Python, create
> a sandbox implementation for Python 3.0, and audit the entire API for
> security issues, and then create a system where we make a distinction
> between secure and insecure scripts (as the latter will always be
> needed for some cases). I expect that would take 6-12 months of
> development time, along with continued work maintaining our own Python
> fork and keeping the BPY API secure.

This development should be done by Python.org then. Blender is not the only Python embedded project who would love to see attention for such topics.
A year of development time would be feasible to organize sponsoring for. Autodesk hint hint!

Besides that - I think you make a logical mistake in the reasoning. We don't need to make a complete secure Python for everything. We just want safe ways of running scripts in Blender. Reduce the problem first, then tackle it. And then - in the end - check on how to enable adminstrators to manage their harddrives.

-Ton-

> 
> Switching to another language takes even more development time of
> course, and Python is basically the standard scripting language for
> 3D. Users often to own scripting, especially at small studios, and so
> I thinking saying users come before scripters in this case. Switching
> to a language like LUA which does not a similar ecosystem around the
> language would definitely affect users.
> 
> On Fri, Jun 7, 2013 at 1:12 PM, Ton Roosendaal <ton at blender.org> wrote:
>> Hi all Pythoneers,
>> 
>> Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first.
>> 
>> If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA.
>> 
>> Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit.
>> 
>> -Ton-
>> 
>> --------------------------------------------------------
>> Ton Roosendaal  -  ton at blender.org   -   www.blender.org
>> Chairman Blender Foundation - Producer Blender Institute
>> Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands
>> 
>> 
>> 
>> On 7 Jun, 2013, at 12:08, Domino Marama wrote:
>> 
>>> On 06/07/2013 10:21 AM, Ton Roosendaal wrote:
>>>> Hi Campbell,
>>>> 
>>>> I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users?
>>>> 
>>>> Look for example at the standard UI scripts. Apart from 1 case, there's no "import os" anywhere. Same goes for essential scripts riggers or animators use.
>>>> 
>>>> So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run.
>>>> 
>>>> Something like this would make a "trusted source" option on file loading more useful. Right now, unticking "trusted source" is almost equivalent to "disable useful features".
>>>> 
>>>> 
>>>>>> oh = 'SOS HELP!'
>>>>>> ohoh = __import__(oh[1:3].lower())
>>>>>> ohoh
>>> <module 'os' from
>>> '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py'>
>>> 
>>> On Linux distros where system Python is used, I doubt anything can be
>>> done to prevent the import function from being used.
>>> 
>>> Load Blender with a console, check there's the startup message on it.
>>> Then paste this into say the frame number field..
>>> 
>>> eval("__import__('os').system('clear')", {})
>>> 
>>> Now check console again.. Just checking scripts for imports isn't enough.
>>> _______________________________________________
>>> Bf-committers mailing list
>>> Bf-committers at blender.org
>>> http://lists.blender.org/mailman/listinfo/bf-committers
>> 
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers

More information about the Bf-committers mailing list