If you want security by default then my suggestion is to just disable scripts by default on load. If the .blend file contains a script the info header can show a warning and button to reload the .blend file with scripts enabled.
Realistically I think Python and the Blender Python API are just insecure, and that securing them is not feasible. We could however make it difficult enough to do this that only an expert could make malicious .blend files. That does mean we need to fork Python, create a sandbox implementation for Python 3.0, and audit the entire API for security issues, and then create a system where we make a distinction between secure and insecure scripts (as the latter will always be needed for some cases). I expect that would take 6-12 months of development time, along with continued work maintaining our own Python fork and keeping the BPY API secure. Switching to another language takes even more development time of course, and Python is basically the standard scripting language for 3D. Users often to own scripting, especially at small studios, and so I thinking saying users come before scripters in this case. Switching to a language like LUA which does not a similar ecosystem around the language would definitely affect users. On Fri, Jun 7, 2013 at 1:12 PM, Ton Roosendaal <[email protected]> wrote: > Hi all Pythoneers, > > Scripters are important for Blender, but just like the C developers they have > a responsibility for users out there. A good proposal for security has to > come from you as experts first. > > If this discussion just leads to marking every idea as impossible (Python is > insecure by design) then we should have a big problem with keeping Python in > Blender. Fork it, sandbox it, or move to LUA. > > Let it be clear: we're making Blender here, which is meant to be a 3D > creation tool. It's not a Python development environment. Users come first, > scripters and coders second. So... stop being smartasses and think > constructive a bit. > > -Ton- > > -------------------------------------------------------- > Ton Roosendaal - [email protected] - www.blender.org > Chairman Blender Foundation - Producer Blender Institute > Entrepotdok 57A - 1018AD Amsterdam - The Netherlands > > > > On 7 Jun, 2013, at 12:08, Domino Marama wrote: > >> On 06/07/2013 10:21 AM, Ton Roosendaal wrote: >>> Hi Campbell, >>> >>> I don't know enough about Python internals, so I depend on someone to help >>> designing a sane way to handle security risks here. There must be ways we >>> can help users? >>> >>> Look for example at the standard UI scripts. Apart from 1 case, there's no >>> "import os" anywhere. Same goes for essential scripts riggers or animators >>> use. >>> >>> So, why not add a provision in Blender code to check on such cases. Just >>> don't allow import of any module = safe script? In all other cases: needs >>> to be explicitly permitted to run. >>> >>> Something like this would make a "trusted source" option on file loading >>> more useful. Right now, unticking "trusted source" is almost equivalent to >>> "disable useful features". >>> >>> >>>>> oh = 'SOS HELP!' >>>>> ohoh = __import__(oh[1:3].lower()) >>>>> ohoh >> <module 'os' from >> '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py'> >> >> On Linux distros where system Python is used, I doubt anything can be >> done to prevent the import function from being used. >> >> Load Blender with a console, check there's the startup message on it. >> Then paste this into say the frame number field.. >> >> eval("__import__('os').system('clear')", {}) >> >> Now check console again.. Just checking scripts for imports isn't enough. >> _______________________________________________ >> Bf-committers mailing list >> [email protected] >> http://lists.blender.org/mailman/listinfo/bf-committers > > _______________________________________________ > Bf-committers mailing list > [email protected] > http://lists.blender.org/mailman/listinfo/bf-committers _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers
