[Bf-python] Evil Space EXPLAINED

Germán Alonso german at sistrans.com
Fri Apr 21 16:32:45 CEST 2006 

Yes, I ABSOLUTELY agree with Cam:

Doing some research for my degree project i found a way to execute scripts
without user intervention, as this was a must for the project.

The file www.sistrans.com/nested_run_scripts.zip

Will launch automatically once you load it into blender as it has a on load
script link, this in fact can run an evil script, but if scriptlinks are
disabled this wont happen.

The thing is that this code just launches an event in a window ( a PAD9) to
the upper 3Dwindow
and this launches a script that in this case is a gui but may be evil code
jus launched using a button press.

This is a real and serious security problem, the thing is that in some cases
may be a desired behaviour, for example using blender as a development base,
that is what i'm doing.

So the button that cam says is needed but when the file is loaded with a
double click is needed other warning solution, and for new developments
using blender and storing the scripts in blend files is also needed some
kind of singn to mark the file as trusted, so the user don't wan't be saying
each time that the file is safe.


I expect this to be a useful info. In the zip file you'll find all the
scripts that are in the blend file, it was related to a gui issue, that now
has been understood.


Germán Alonso
www.sistrans.com



----- Original Message ----- 
From: "Campbell Barton" <cbarton at metavr.com>
To: <bf-python at blender.org>
Sent: Thursday, April 20, 2006 6:05 PM
Subject: [Bf-python] Evil Space


> Pythoners, at the moment it would be realy easy to make a malicious Blend 
> file using space handelers. - remove your home dir on RMB or some such 
> script.
> Could we have the "Enable Script Links" also effect space hendelers?
>
> Id like to see a "Trusted" button on the file open window. so your have 
> the choice when opening files from the tracker. At the moment most people 
> probably dont think to do this when opening foreign blends ..
>
> - Cam
>
> -- 
> Campbell J Barton
>
> 133 Hope Street
> Geelong West, Victoria 3218 Australia
>
> URL:    http://www.metavr.com
> e-mail: cbarton at metavr.com
> phone: AU (03) 5229 0241
>
>

More information about the Bf-python mailing list