Well, since it's open source, why not just change the source and compile? Given the amount of Security! discussion, it must be relatively simple to somehow force Blender to execute a script.
Perhaps you could create a dos shortcut such as blender -b myfile.blend -p myvirus.py and then over-ride scripts at startup as if you were a trusting soul. It's what we do when we make an RPC call to the cloud to make a render...so if that script was malicious, it should work. How malicious depends on what Python allows you to do. At a minimum, you could write garbage out to 50 files; demonstrating that in theory you could keep going until the disk filled up, which would be a real pain in the butt for windoze. In 2.5, in Python, you could create a panel and a button that, when clicked, runs a script. Call the button "Make Awesome Movie" in a Presets panel or "Make Awesome MMORPG" and everyone is sure to click it. --Roger Check out my website at www.rogerwickes.com for a good deal on my book and training course, as well as information about my latest activities. Use coupon Papasmurf for $15 off! ________________________________ From: Shaul Kedem <[email protected]> To: bf-blender developers <[email protected]> Sent: Thu, May 6, 2010 3:08:04 PM Subject: Re: [Bf-committers] Blender security: any Onload functions? Hi Taro, A quick tip: do not show security flaws in a software which was not released yet. even if it is an open source project. Regarding your question, this is not possible unless the user explicitly permit the script to run, Regards, shul On Thu, May 6, 2010 at 12:04 PM, Taro Omiya <[email protected]> wrote: > Hello everyone. I wanted to comment that Blender 2.5.2 is easily the > best change on the project since...ever. > > In any case, I'm working on a presentation for a course in computer > security, and I chose Blender 2.5.2 as "my victim." To demonstrate an > attack, I wanted to create a script that would load automatically on > file open. Is there a function to do that? I found the "addScriptLink" > in the old API, and wondered if there was an equivalent to it. > > Note that I personally am not a malicious person. I don't consider > myself that great of a programmer, let alone a hacker. I merely do this > because it is a major part of my grade. > > Thanks for the help! > > -- > Taro Omiya > B.S. Computer Science '10 > Rensselaer Polytechnic Institute > > _______________________________________________ > Bf-committers mailing list > [email protected] > http://lists.blender.org/mailman/listinfo/bf-committers > _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers
