[Bf-python] Security
Willian Padovani Germano
wgermano at ig.com.br
Mon Jul 21 03:48:47 CEST 2003
Hi,
Here's the first of those three emails I mentioned.
It's about security: giving users control over potentially dangerous
things a Python script could do.
First of all: if you don't care about this, don't worry, it's meant as
an optional feature for those who want/need it.
With the "sandbox" approach, we reduce the issue to two things:
importing and file access. To change the default behavior in Python we
have to redefine two builtins: the import method and the file object.
Import:
Importing is considered a serious security risk. A 'safest mode' would
simply disallow importing and warn the user about that (telling them
that imports had been disallowed and to toggle a button in the user pref
win in Blender if they wanted to allow imports again). That was the
plan in the old bpython code and it's pretty trivial to do. Of course
the "factory default" is to allow imports.
We already redefined the import mechanism (it's in cvs, but not in
NewPy1, the version recently released) to let Blender texts be
imported. So it's not hard to add security to it, maybe with a "safest"
mode and another that only blocked some imports (this is naive, but
...).
File:
The open() Python builtin type was renamed to file() (the name 'open" is
still available, and is equal to file, to support older code). I've
been looking around and only saw a comment stating that the file object
can't be redefined (to something usable for file access, I suppose).
The game engine code in Blender redefines it to a message that tells
users that file access is not allowed. If that works, we already have
the "safest mode".
But the idea was to restrict file access -- writing and eventually
reading (in a "safer" mode) -- to some pre-defined dir(s). The
Sandbox.py script that is easy to find on the net does that, but I still
have to study the code to understand how.
BTW: for its newer version, the Sandbox.py page has this comment:
-----------------
16 Jun 2003: SandBox is not secure. After a discussion in the german
Python list, I have to suppose that since introduction of new-style
classes real control of Python code is not possible at all. Thanks to
Martin v Löwis for his hints.
As far as I can see, SandBox.py is secure if you use Python 2.1. May be
this is o.k. for simple scripting tasks.
------------------
Here's the link: http://www.procoders.net/pythonstuff/SandBox/
One possibility that occurred me (besides some that don't solve the
problem, only make it harder -- the foolish cat vs. mouse game) is to
use the Blender.Text module for file access. If it's not complete
enough for that (I don't remember right now), it's easy to upgrade it.
So there's this solution: "safe" scripts can use the Blender.Text module
for reading / writing files and run in an env with the Python builtin
file object blocked. Or if possible we can redefine the file object to
a Blender.Text object (if we update it to have all the methods file()
has).
I'll keep thinking / searching and also try some code. If anyone knows
anything about redefining the file builtin object in Python, please tell
us.
--
Willian, wgermano at ig.com.br
More information about the Bf-python
mailing list