Hi Campbell,

I don't know enough about Python internals, so I depend on someone to help 
designing a sane way to handle security risks here. There must be ways we can 
help users?

Look for example at the standard UI scripts. Apart from 1 case, there's no 
"import os" anywhere. Same goes for essential scripts riggers or animators use.

So, why not add a provision in Blender code to check on such cases. Just don't 
allow import of any module = safe script? In all other cases: needs to be 
explicitly permitted to run. 

Something like this would make a "trusted source" option on file loading more 
useful. Right now, unticking "trusted source" is almost equivalent to "disable 
useful features".

-Ton-

--------------------------------------------------------
Ton Roosendaal  -  [email protected]   -   www.blender.org
Chairman Blender Foundation - Producer Blender Institute
Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands



On 6 Jun, 2013, at 20:13, Campbell Barton wrote:

> On Thu, Jun 6, 2013 at 6:47 PM, Ton Roosendaal <[email protected]> wrote:
>> Hi,
>> 
>> I think you give up too easily here. :) For example, we could also make a 
>> bpy.os module, and mark scripts that use this as 'trusted'. Scripts using 
>> the os.module itself then require a user to explicitly run it, or being 
>> embedded in a file marked trusted (own files etc).
> 
> You know I already attempted this and have been shown by developers
> more expert in CPython internals then me, that CPython makes not
> effort to support such limitations and that is trivial to workaround
> them.
> 
> You assume there is an effective way to control module importing (that
> we could even stop a script from using any of CPythons bundled modules
> - `os` included).
> 
> I'd want good evidence this can be done, until someone shows this -
> I'll assume it can't.
> 
>> This is not to forbid using os module, it's to not make such scripts run 
>> automatic.
>> 
>> The main issue would be first to sanitize our non-python writing code, make 
>> sure this goes more secured and controlled. Once that's in place, scripters 
>> can use that as well, and get free support for the features we use in 
>> Blender C code all over as well.
>> 
>> -Ton-
> _______________________________________________
> Bf-committers mailing list
> [email protected]
> http://lists.blender.org/mailman/listinfo/bf-committers

_______________________________________________
Bf-committers mailing list
[email protected]
http://lists.blender.org/mailman/listinfo/bf-committers

Reply via email to