Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Wed, Jun 12, 2013 at 2:32 AM, Campbell Barton ideasma...@gmail.com wrote: On Tue, Jun 11, 2013 at 8:49 PM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: On Tue, Jun 11, 2013 at 8:35 AM, Campbell Barton ideasma...@gmail.com wrote: - Asking to reload a file is OK, but what if you haven't saved the file? (eg, you load a new file and append an object with a driver). Currently the reload button is just removed in this case and you can only choose to ignore the warning. I think this message should disappear as soon as you do any operation, same as other messages from operator. Then it can be ignored it without having to do anything. This message intentionally expects a user action because the blend file may behave totally broken if scripts don't run. Some users click around aimlessly. they might immediately perform some action on load that cancels the message, or for some reason another message replaces it so fast they are unaware scripts are disabled. We risk users overlooking the warning message, then thinking blender is broken or whoever made the blend-file made a mistake. For most reports this is OK, but for rigs I worry it means the difference between blender working or not. I don't agree, by making this something that you have to click away it becomes a modal message and I think it's important to avoid that as much as possible. We need to ensure that the user sees this immediately, if they are already performing other actions and then only find this out later we've already failed I think. The little flashing animation for operator reports is perfect to attract attention. If there is a risk of something else replacing it, we can give the message priority for a few seconds. The red (X) button also looks more threatening than the reload button to me. Further I think the message should be changed, Script failed to auto-run makes it sound like it actually tried to run the script but there was some error? I suggest: [ (i) Auto-run script 'some_script.py' disabled | Reload Trusted | Ignore ] It would also be nice if this could follow the same styling as operator reports. Good suggestions, committed r57384. it looks like this now: [ (i) Auto-run disabled: Text 'some_script.py' | Reload Trusted | Ignore ] Changed a little because the text may be a driver expression which can be very long and makes the message not read so clearly. Note, many reasonable suggestions have been made in this thread, but at this point I don't think its useful to reply to all. Next Ill check on ways for users to selectively trust blend files for their own projects so this behavior isn't annoying users. Perhaps what we could do is store a list of .blend file hashes that were trusted or created by the user somewhere. Main disadvantage with hashes is if you work with others on a shared repo, changed hashes will be common then you also have to manage clearing old hashes - its doable but would like something thats easier for users to manage if possible. True, it doesn't solve that case. It would mainly be so that for all the files you saved yourself, or that you trusted once it would never ask you again. Brecht. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
How about a script that automatically checks each script in the .blend when it opens, before auto-running scripts... but it ONLY pops up an alert if it detects suspicious code, any specific functions that wouldn't normally be needed in a .blend file or stand a good chance of messing things up. Hopefully it won't slow things down, and it can be easy to turn off. The key is fewer alerts so it's not as ignored, while also being automatic. If it detects something that warrants investigation, it can tell the user something like, This script has the ability to control other programs(or send email, or delete files). Here is the code that does this. If this is not a function you expect, click here to deactivate it.. Something not too alarming in case it's nothing. More positive matches would outright be blocked. This will of course miss some things, especially early on(if there's anything to miss), but it'll catch more than what's caught now, especially anything obvious-but-buried-under-600-lines-of-code. I have a particular interest in security because I'm working on a variation of Blender that's specifically for presentations(using the game engine), and if Blender is being used like Powerpoint, it's likely to get malware like Powerpoint. I'm glad that this conversation is happening, and there might be some ideas that wouldn't work well for Blender but will be perfect for a more single-purpose program that doesn't need as much flexibility. More info on the presentation software is at http://blendshow.com (just to prevent questions that would bring this thread off-topic) -- View this message in context: http://blender.45788.x6.nabble.com/Please-turn-off-Auto-Run-Python-Scripts-by-default-tp108971p109403.html Sent from the Bf-committers mailing list archive at Nabble.com. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Right now the information about this file contains autorun scripts gets displayed right after the script is loaded, but goes away as soon as i have decided to either run the sripts or not run them. I believe it is much more indicative if this information would be displayed permanently, like so (just a placeholder example): http://www.pasteall.org/pic/show.php?id=53378 this icon could even be active in this sense: if autorun scripts are currently disabled, and the blend file has not been modified: - you can click on the icon to reload the blend file with autorun enabled. I added the little green spot in the middle of the icon for fun, but actually what about this ? icon with green spot - scripts are running icon with red spot - scripts are blocked -gaia- On 12.06.2013 12:01, Brecht Van Lommel wrote: On Wed, Jun 12, 2013 at 2:32 AM, Campbell Barton ideasma...@gmail.com wrote: On Tue, Jun 11, 2013 at 8:49 PM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: On Tue, Jun 11, 2013 at 8:35 AM, Campbell Barton ideasma...@gmail.com wrote: - Asking to reload a file is OK, but what if you haven't saved the file? (eg, you load a new file and append an object with a driver). Currently the reload button is just removed in this case and you can only choose to ignore the warning. I think this message should disappear as soon as you do any operation, same as other messages from operator. Then it can be ignored it without having to do anything. This message intentionally expects a user action because the blend file may behave totally broken if scripts don't run. Some users click around aimlessly. they might immediately perform some action on load that cancels the message, or for some reason another message replaces it so fast they are unaware scripts are disabled. We risk users overlooking the warning message, then thinking blender is broken or whoever made the blend-file made a mistake. For most reports this is OK, but for rigs I worry it means the difference between blender working or not. I don't agree, by making this something that you have to click away it becomes a modal message and I think it's important to avoid that as much as possible. We need to ensure that the user sees this immediately, if they are already performing other actions and then only find this out later we've already failed I think. The little flashing animation for operator reports is perfect to attract attention. If there is a risk of something else replacing it, we can give the message priority for a few seconds. The red (X) button also looks more threatening than the reload button to me. Further I think the message should be changed, Script failed to auto-run makes it sound like it actually tried to run the script but there was some error? I suggest: [ (i) Auto-run script 'some_script.py' disabled | Reload Trusted | Ignore ] It would also be nice if this could follow the same styling as operator reports. Good suggestions, committed r57384. it looks like this now: [ (i) Auto-run disabled: Text 'some_script.py' | Reload Trusted | Ignore ] Changed a little because the text may be a driver expression which can be very long and makes the message not read so clearly. Note, many reasonable suggestions have been made in this thread, but at this point I don't think its useful to reply to all. Next Ill check on ways for users to selectively trust blend files for their own projects so this behavior isn't annoying users. Perhaps what we could do is store a list of .blend file hashes that were trusted or created by the user somewhere. Main disadvantage with hashes is if you work with others on a shared repo, changed hashes will be common then you also have to manage clearing old hashes - its doable but would like something thats easier for users to manage if possible. True, it doesn't solve that case. It would mainly be so that for all the files you saved yourself, or that you trusted once it would never ask you again. Brecht. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
A suggestion that hasn't be done before here (but it's related to the post I'm replying to): Hash all the potentially dangerous data (scripts, driver expressions, anything that has python code) and store those hashes when the user chooses to trust the .blend file. If someone heavily modifies Sintel to make a new character but scripts remain untouched, when it's shared the scripts are automatically trusted if the user has trusted them before. DiThi 2013/6/12 Garrett Williams que...@gmail.com How about a script that automatically checks each script in the .blend when it opens, before auto-running scripts... but it ONLY pops up an alert if it detects suspicious code, any specific functions that wouldn't normally be needed in a .blend file or stand a good chance of messing things up. Hopefully it won't slow things down, and it can be easy to turn off. The key is fewer alerts so it's not as ignored, while also being automatic. If it detects something that warrants investigation, it can tell the user something like, This script has the ability to control other programs(or send email, or delete files). Here is the code that does this. If this is not a function you expect, click here to deactivate it.. Something not too alarming in case it's nothing. More positive matches would outright be blocked. This will of course miss some things, especially early on(if there's anything to miss), but it'll catch more than what's caught now, especially anything obvious-but-buried-under-600-lines-of-code. I have a particular interest in security because I'm working on a variation of Blender that's specifically for presentations(using the game engine), and if Blender is being used like Powerpoint, it's likely to get malware like Powerpoint. I'm glad that this conversation is happening, and there might be some ideas that wouldn't work well for Blender but will be perfect for a more single-purpose program that doesn't need as much flexibility. More info on the presentation software is at http://blendshow.com (just to prevent questions that would bring this thread off-topic) -- View this message in context: http://blender.45788.x6.nabble.com/Please-turn-off-Auto-Run-Python-Scripts-by-default-tp108971p109403.html Sent from the Bf-committers mailing list archive at Nabble.com. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Update on whats going on: - Default has been changed not to auto-run scripts, with option to reload a blend if it attempts to run a script. looks like this: http://www.graphicall.org/ftp/ideasman42/trust_header.png - Since this is a user preference, Users with current preferences saved won't notice any changes. Open issues... - Asking to reload a file is OK, but what if you haven't saved the file? (eg, you load a new file and append an object with a driver). Currently the reload button is just removed in this case and you can only choose to ignore the warning. - There is the issue where you start a new file, add a driver --- it wont work because auto-execution is disabled. ... this should probably be resolved before 2.68. - Freestyle currently ignores auto-exec option, Perhaps this is OK: if you load a game and press P, it also runs scripts even if 'Autorun' is off. Likewise, loading a blend file and pressing Render, will execute freestyle scripts, optionally we could disable these too. Note, many reasonable suggestions have been made in this thread, but at this point I don't think its useful to reply to all. Next Ill check on ways for users to selectively trust blend files for their own projects so this behavior isn't annoying users. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
It's perhaps somewhat irrelevant at this point in time (since we've now already got a solution in progress), but for posterity, I thought I'd just mention some thoughts I had about this situation yesterday. As Miika says, it's clear that trying to do runtime protection (i.e. sandboxing) is impossible, and that the only solution is to inform users about scripts that do exist, and to prevent automatic execution of these (by default) until users have been able to evaluate the risks involved. In other words, what we're now trying to do / implementing. However, where I think we could do a bit better than what we're proposing is to take an extra step and provide users with tools (integrated into the warning+confirmation mechanism before scripts are executed) of the assessed risk of the scripts in the file being dangerous to enable. Now, perhaps I'm taking an overly optimistic view of the situation, but if we somewhat tighten the bounds of the types of constructs that we consider likely to be legitimate/harmless code while loosening our expectation of 100% foolproof good/bad classification of a given piece of code (e.g. we know in general that obfuscation techniques and code which goes munging around with methods/members with underscore names, so therefore, it's we can reliably suspect this snippet is suspicious, though we can't pass judgement on whether it's really evil or not), then we can use such judgements as a basis for estimating the potential danger posed to users. For more details, see: http://aligorith.blogspot.co.nz/2013/06/probabilistic-security-another-take-on.html Regards, Joshua On Sun, Jun 9, 2013 at 11:04 PM, Miika Hämäläinen blen...@miikah.org wrote: IMHO the situation is clear: It's practically impossible to detect malicious scripts or make script execution fully safe. Implementing a safe scripting environment could be a nice long term target, but the main issue has to be addressed sooner. Therefore only solution is to inform users about a script before it's executed and prevent automatic execution by default. If user trusts the source or expects the file to contain scripts then he is free to allow those scripts to run after the notification. If not then its his judgement to not trust the script (even if it came from official training DVD). There will be users who just click allow to any dialog we show but at that point it's really their issue not ours. However, advanced users who care about their security should still be able to *open* (not necessarily execute) .blend files without having to scan them with some external script scanners or without having to ensure they remembered to disable auto-execution when they last time reverted to factory settings. :) As already discussed in this thread, ideally the dialog would both indicate that the script can be dangerous but also note that the blend file likely won't function as intended without scripts. Naturally advanced users should be able to allow automatic execution of any scripts as well if they decide so. Anyway, something has to be done. I mean seriously, how many Blender users even know there is such a setting? I didn't until last week. I always expected one would be safe to open .blend files until executing those scripts manually... Right now anyone can create a malicious blend, upload it online combined with a nice scene and it executes on 99% of users systems without them ever knowing that their personal documents were just uploaded online. 9.6.2013 12:54, Campbell Barton wrote: On Sun, Jun 9, 2013 at 5:37 PM, Knappmagick.c...@gmail.com wrote: Sure, not everyone's a programmer that can inspect the scripts, but at some point I feel the responsibility lies with the users and with the sites offering the .blends to inform them of potential dangers, and not so much with the BF trying to create a super-safe environment. Super-safe in this case translating to crippled or unusable for some. I think you under estimate how easy it is to hide code in a blend file, at the risk of giving people bad ideas... I like a lock on a door with windows all over the house, adding some code to blender to stop viruses will never be perfect but it will stop the neighborhood kid from breaking in. Just knowing that blender has some protection will slow down most virus attacks or stop them from ever even trying. We will never be able to stop governments or other pros from attacking the program but that does not mean we should not lock the door. It seems like you reply to a different point? I'm only saying that its not so fair to expect users to be able to open a blend and check for malicious python scripts. We could have some tool that extracts scripts from a blend (so at least hiding isn't so much an issue), but this isn't really a solution, just a tool that helps in certain situations. ___ Bf-committers mailing list Bf-committers@blender.org
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Tue, Jun 11, 2013 at 8:49 PM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Hi, On Tue, Jun 11, 2013 at 8:35 AM, Campbell Barton ideasma...@gmail.com wrote: - Asking to reload a file is OK, but what if you haven't saved the file? (eg, you load a new file and append an object with a driver). Currently the reload button is just removed in this case and you can only choose to ignore the warning. I think this message should disappear as soon as you do any operation, same as other messages from operator. Then it can be ignored it without having to do anything. This message intentionally expects a user action because the blend file may behave totally broken if scripts don't run. Some users click around aimlessly. they might immediately perform some action on load that cancels the message, or for some reason another message replaces it so fast they are unaware scripts are disabled. We risk users overlooking the warning message, then thinking blender is broken or whoever made the blend-file made a mistake. For most reports this is OK, but for rigs I worry it means the difference between blender working or not. The red (X) button also looks more threatening than the reload button to me. Further I think the message should be changed, Script failed to auto-run makes it sound like it actually tried to run the script but there was some error? I suggest: [ (i) Auto-run script 'some_script.py' disabled | Reload Trusted | Ignore ] It would also be nice if this could follow the same styling as operator reports. Good suggestions, committed r57384. it looks like this now: [ (i) Auto-run disabled: Text 'some_script.py' | Reload Trusted | Ignore ] Changed a little because the text may be a driver expression which can be very long and makes the message not read so clearly. Note, many reasonable suggestions have been made in this thread, but at this point I don't think its useful to reply to all. Next Ill check on ways for users to selectively trust blend files for their own projects so this behavior isn't annoying users. Perhaps what we could do is store a list of .blend file hashes that were trusted or created by the user somewhere. Main disadvantage with hashes is if you work with others on a shared repo, changed hashes will be common then you also have to manage clearing old hashes - its doable but would like something thats easier for users to manage if possible. Brecht. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- - Campbell ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Sure, not everyone's a programmer that can inspect the scripts, but at some point I feel the responsibility lies with the users and with the sites offering the .blends to inform them of potential dangers, and not so much with the BF trying to create a super-safe environment. Super-safe in this case translating to crippled or unusable for some. I think you under estimate how easy it is to hide code in a blend file, at the risk of giving people bad ideas... I like a lock on a door with windows all over the house, adding some code to blender to stop viruses will never be perfect but it will stop the neighborhood kid from breaking in. Just knowing that blender has some protection will slow down most virus attacks or stop them from ever even trying. We will never be able to stop governments or other pros from attacking the program but that does not mean we should not lock the door. -- Douglas E Knapp Creative Commons Film Group, Helping people make open source movies with open source software! http://douglas.bespin.org/CommonsFilmGroup/phpBB3/index.php Massage in Gelsenkirchen-Buer: http://douglas.bespin.org/tcm/ztab1.htm Please link to me and trade links with me! Open Source Sci-Fi mmoRPG Game project. http://sf-journey-creations.wikispot.org/Front_Page http://code.google.com/p/perspectiveproject/ ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Sun, Jun 9, 2013 at 5:37 PM, Knapp magick.c...@gmail.com wrote: Sure, not everyone's a programmer that can inspect the scripts, but at some point I feel the responsibility lies with the users and with the sites offering the .blends to inform them of potential dangers, and not so much with the BF trying to create a super-safe environment. Super-safe in this case translating to crippled or unusable for some. I think you under estimate how easy it is to hide code in a blend file, at the risk of giving people bad ideas... I like a lock on a door with windows all over the house, adding some code to blender to stop viruses will never be perfect but it will stop the neighborhood kid from breaking in. Just knowing that blender has some protection will slow down most virus attacks or stop them from ever even trying. We will never be able to stop governments or other pros from attacking the program but that does not mean we should not lock the door. It seems like you reply to a different point? I'm only saying that its not so fair to expect users to be able to open a blend and check for malicious python scripts. We could have some tool that extracts scripts from a blend (so at least hiding isn't so much an issue), but this isn't really a solution, just a tool that helps in certain situations. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
IMHO the situation is clear: It's practically impossible to detect malicious scripts or make script execution fully safe. Implementing a safe scripting environment could be a nice long term target, but the main issue has to be addressed sooner. Therefore only solution is to inform users about a script before it's executed and prevent automatic execution by default. If user trusts the source or expects the file to contain scripts then he is free to allow those scripts to run after the notification. If not then its his judgement to not trust the script (even if it came from official training DVD). There will be users who just click allow to any dialog we show but at that point it's really their issue not ours. However, advanced users who care about their security should still be able to *open* (not necessarily execute) .blend files without having to scan them with some external script scanners or without having to ensure they remembered to disable auto-execution when they last time reverted to factory settings. :) As already discussed in this thread, ideally the dialog would both indicate that the script can be dangerous but also note that the blend file likely won't function as intended without scripts. Naturally advanced users should be able to allow automatic execution of any scripts as well if they decide so. Anyway, something has to be done. I mean seriously, how many Blender users even know there is such a setting? I didn't until last week. I always expected one would be safe to open .blend files until executing those scripts manually... Right now anyone can create a malicious blend, upload it online combined with a nice scene and it executes on 99% of users systems without them ever knowing that their personal documents were just uploaded online. 9.6.2013 12:54, Campbell Barton wrote: On Sun, Jun 9, 2013 at 5:37 PM, Knappmagick.c...@gmail.com wrote: Sure, not everyone's a programmer that can inspect the scripts, but at some point I feel the responsibility lies with the users and with the sites offering the .blends to inform them of potential dangers, and not so much with the BF trying to create a super-safe environment. Super-safe in this case translating to crippled or unusable for some. I think you under estimate how easy it is to hide code in a blend file, at the risk of giving people bad ideas... I like a lock on a door with windows all over the house, adding some code to blender to stop viruses will never be perfect but it will stop the neighborhood kid from breaking in. Just knowing that blender has some protection will slow down most virus attacks or stop them from ever even trying. We will never be able to stop governments or other pros from attacking the program but that does not mean we should not lock the door. It seems like you reply to a different point? I'm only saying that its not so fair to expect users to be able to open a blend and check for malicious python scripts. We could have some tool that extracts scripts from a blend (so at least hiding isn't so much an issue), but this isn't really a solution, just a tool that helps in certain situations. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Maybe you can put security aside for a moment and first look at this topic from the information perspective: Wouldn't it be nice to get informed whenever a .blend file contains scripts ? That could be simply a python icon next to the blender icon in the main menu header for example. This could raise attention already and make users aware of scripted blend files. Now in in the next step take security into account: The python icon could get 2 states (active,inactive). It could be directly connected to the Auto run Scripts option in the user properties. So: - if blend file contains no scripts: Icon is invisible, or greyed out otherwise: - if Auto run Scripts enabled: Icon is set to active no state change possible - if Auto run Scripts disabled: Icon is set to inactive on load state change to active possible It would be nice if a state change from inactive to active does NOT reload the blend file, because otherwise we might loose work when the file has been edited in the mean time. cheers, Gaia On 07.06.2013 18:15, Erwin Coumans wrote: I just want Blender to ask me at loading time, if I want to run scripts or not. Obviously option should be a user preference. At loading time you can then reply: 1) run script this time 2) don't run scripts this time 3) always run scripts and don't nag/ask me ever again 4) never run scripts and don't nag/ask me ever again That is a very simple starting point to better manage security I think. Thanks, Erwin ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi Erwin, Put yourself in the position of someone who purchases the famous CGcookie animation training DVD. On loading the first tutorial file, Blender then throws a popup: This .blend file contains autorun scripts, do you want to run it? I consider such requests totally void of any meaning, because you simply have no way to find out what the consequences are of accepting the choice. If you don't accept it you cannot even use the .blend file nor use the DVD you paid for. This is not user control, it's blaming users for trying to get a working product. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 18:49, Erwin Coumans wrote: Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. I think you under-estimate Blender users. People are familiar with such a question, for example when using a web browser. I think it is good to give the user control. On 7 June 2013 09:26, Ton Roosendaal t...@blender.org wrote: Hi, Making autorun default off (and optional) is really a good start. But it's not enough. Especially requesters won't work well. Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. It's like a click on I agreed with the license. Only lawyers are interested in such - it moves liability to the user. Bad practice. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 18:15, Erwin Coumans wrote: I just want Blender to ask me at loading time, if I want to run scripts or not. Obviously option should be a user preference. At loading time you can then reply: 1) run script this time 2) don't run scripts this time 3) always run scripts and don't nag/ask me ever again 4) never run scripts and don't nag/ask me ever again That is a very simple starting point to better manage security I think. Thanks, Erwin On 7 June 2013 09:03, Ton Roosendaal t...@blender.org wrote: Hi Shrinidhi, Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? That's interesting to check, but I don't like to make users responsible for checking each .blend they want to load. My preference is a way that's relatively safe and works out of the box for everyone (except system administrators :). 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. That is only true if we stick to how it works now. We can find ways to either force scripts to become add-ons or to mark .blend files or scripts as trusted for own use and studios. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 16:37, Shrinidhi Rao wrote: On Fri, Jun 7, 2013 at 4:42 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? The script can have a way to update a set of rules that marks the files safe or unsafe. May be blender institute can maintain a database and the script will auto-update the rules. People responsible for the python API can keep updating the database incrementally. Now why a different script? . 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. 2 : it can be run individually by the security conscious people . at least they will have a way to check if a blend file is evil or good . 3: for large deployments it can be run in batch mode to check multiple files at once . This way we can make the users happy . at least they will have a way to tell what the blend file is up to . In a studio we need not worry about it as there are proper user permissions and policies already implemented. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. This is not at all
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi Campbell, Thanks for clarifying. Limiting module access is just really hard to do... snip unless you remove the functionality altogether. Just in theory then: so we can make a (static linked) Python interpreter without any modules, and not allowing to load any other module or C compliled component? Just the smallest Py interpreter possible? Next step: we can make it run all our bpy commands fine? So, we can draw almost all of the UI with it, run Cyles, and we can use it for autorun scripts and even some add-ons. It would still be a cripple Blender from a scripter p.o.v, but for the basics of Blender usage it would be a functional tool already. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 19:29, Campbell Barton wrote: On Fri, Jun 7, 2013 at 7:21 PM, Ton Roosendaal t...@blender.org wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? So far I can only see the way to help users is limited to them running executable code bundled with a blend, or not. (as has been discussed) Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Limiting module access is just really hard to do... this isn't about being a smart-arse, its just that the way CPython works makes this near impossible unless you remove the functionality altogether. Even if importing of modules is disabled you can use namespace tricks to access modules. eg: os = next(iter(i for i in (1).__class__.__mro__[-1].__subclasses__() if i.__name__ == '_ZipDecrypter'))._UpdateKeys.__globals__[so[::-1]] Of course you can start to disable CPythons own introspection then this could be disabled but Blender currently takes advantage of this in some places so as Brecht says - this ends up becoming a large project we need to maintain, its not just some 1-2 week project to come up with a safe version of CPython. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. With drivers yes, further though I don't think many blend files need to execute code. -Ton- ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Ton, I disagree with you on this point. If I know the origin of .blend file is trusted, I will choose Yes to auto-run scripts, obviously. I want to have this missing choice. To me that is exactly the same as downloading and executing files from a web browser: you get to choose. Why not add this preference if many users want the freedom to choose at loading time? I am not arguing for a default setting. Thanks, Erwin Sent from my iPhone On Jun 8, 2013, at 4:23 AM, Ton Roosendaal t...@blender.org wrote: I consider such requests totally void of any meaning, because you simply have no way to find out what the consequences are of accepting the choice. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
I consider such requests totally void of any meaning, because you simply have no way to find out what the consequences are of accepting the choice. If you don't accept it you cannot even use the .blend file nor use the DVD you paid for. I may be missing the obvious here, but I would imagine the typical use of this pop-up to go as follows: - Download potentially unsafe .blend. - Open file, get prompted - Choose to not run the scripts - Inspect included scripts in Text Blocks (add-ons have already been manually installed and thus approved by the user) - Reload the file with scripts enabled (or better yet: run the blocked scripts without reloading) if I conclude the scripts are safe. Sure, not everyone's a programmer that can inspect the scripts, but at some point I feel the responsibility lies with the users and with the sites offering the .blends to inform them of potential dangers, and not so much with the BF trying to create a super-safe environment. Super-safe in this case translating to crippled or unusable for some. There's nothing wrong with wanting to do a pre-emptive strike, but some of the measures mentioned are taking it too far IMHO. How do other 3D suites with embedded scripting handle this? Somehow I feel we're overthinking a problem that isn't really a problem (yet). I think the User Preference, along with an additional one to judge on a case-by-case basis would have the best trade-off between being inobtrusive and providing users with an additional layer of control and security. Just my two cents, Patrick From: t...@blender.org Date: Sat, 8 Jun 2013 13:23:26 +0200 To: bf-committers@blender.org Subject: Re: [Bf-committers] Please turn off Auto Run Python Scripts by default Hi Erwin, Put yourself in the position of someone who purchases the famous CGcookie animation training DVD. On loading the first tutorial file, Blender then throws a popup: This .blend file contains autorun scripts, do you want to run it? I consider such requests totally void of any meaning, because you simply have no way to find out what the consequences are of accepting the choice. If you don't accept it you cannot even use the .blend file nor use the DVD you paid for. This is not user control, it's blaming users for trying to get a working product. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 18:49, Erwin Coumans wrote: Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. I think you under-estimate Blender users. People are familiar with such a question, for example when using a web browser. I think it is good to give the user control. On 7 June 2013 09:26, Ton Roosendaal t...@blender.org wrote: Hi, Making autorun default off (and optional) is really a good start. But it's not enough. Especially requesters won't work well. Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. It's like a click on I agreed with the license. Only lawyers are interested in such - it moves liability to the user. Bad practice. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 18:15, Erwin Coumans wrote: I just want Blender to ask me at loading time, if I want to run scripts or not. Obviously option should be a user preference. At loading time you can then reply: 1) run script this time 2) don't run scripts this time 3) always run scripts and don't nag/ask me ever again 4) never run scripts and don't nag/ask me ever again That is a very simple starting point to better manage security I think. Thanks, Erwin On 7 June 2013 09:03, Ton Roosendaal t...@blender.org wrote: Hi Shrinidhi, Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? That's interesting to check, but I don't like to make users responsible for checking each .blend they want to load. My preference is a way that's relatively safe and works out of the box for everyone (except system administrators :). 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. That is only true if we stick to how it works now. We can find ways to either force scripts to become add-ons or to mark .blend files or scripts as trusted for own use and studios. -Ton
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Something quite important has to happen in order to turn a one-to-one attack into a virus-like problem. As patient zero I get the first bad blend. It can't immediately do something bad to me or that is the end of the infection as I will not be able to infect anyone else. Instead it needs to make it so that any new files I create (and/or old ones) contain the same bad behavior. Otherwise it can't replicate. So isn't the answer simple? Just not allow a *script* to set any settings related to the auto-running of scripts? ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Sat, Jun 8, 2013 at 10:02 PM, Ton Roosendaal t...@blender.org wrote: Hi Campbell, Thanks for clarifying. I should have been a more clear in fact, (there are probably more workaround) but basic issues with restricting module access are... - modules are already loaded into python, so there is not a single point you can restrict scripts by restricting import. - modules can be accessed indirectly, eg __import__('zipfile').os - you can access namespaces of functions, classes - which in turn can contain modules. Limiting module access is just really hard to do... snip unless you remove the functionality altogether. Just in theory then: so we can make a (static linked) Python interpreter without any modules, and not allowing to load any other module or C compliled component? Just the smallest Py interpreter possible? With CPython2.x yes (at least this was a lot more feasible), since it could run with a single library, we did this for the Linux builds and in fact `os` module wasn't ensured to exist but it still worked OK for bundled scripts. But CPython3.x has many components written in Python, and its not clearly separated so I think we can't realistically maintain a heavily limited CPython unless we really accept re-implementing internals in C to make it work more like 2.x did. Quick estimate - on loading blender, reads these files (check with strace)... codecs.py aliases.py ascii.py utf_8.py latin_1.py io.py abc.py _weakrefset.py site.py os.py stat.py posixpath.py genericpath.py abc.py keyword.py heapq.py weakref.py reprlib.py copyreg.py re.py sre_compile.py sre_parse.py sre_constants.py functools.py locale.py imp.py machinery.py tokenize.py token.py warnings.py linecache.py Reading over these files most would need to be kept to maintain some compatibility (text encoding, io, tokenize... etc). For CPython3.3 adds up to ~9526 LOC (3336 comments, 2213 blanks), (checked with cloc), Equivalent C code writing to the CPython-API can easily be 5x as verbose, but lets assume not every line needs porting, I would still think 10k - 20k lines is a optimistic estimate. Of course its not just the line count that is a problem but that Py/C-API code is hard to maintain and troubleshoot. Next step: we can make it run all our bpy commands fine? So, we can draw almost all of the UI with it, run Cyles, and we can use it for autorun scripts and even some add-ons. It would still be a cripple Blender from a scripter p.o.v, but for the basics of Blender usage it would be a functional tool already. In principle what you say could work, but its still far too impractical IMHO. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 19:29, Campbell Barton wrote: On Fri, Jun 7, 2013 at 7:21 PM, Ton Roosendaal t...@blender.org wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? So far I can only see the way to help users is limited to them running executable code bundled with a blend, or not. (as has been discussed) Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Limiting module access is just really hard to do... this isn't about being a smart-arse, its just that the way CPython works makes this near impossible unless you remove the functionality altogether. Even if importing of modules is disabled you can use namespace tricks to access modules. eg: os = next(iter(i for i in (1).__class__.__mro__[-1].__subclasses__() if i.__name__ == '_ZipDecrypter'))._UpdateKeys.__globals__[so[::-1]] Of course you can start to disable CPythons own introspection then this could be disabled but Blender currently takes advantage of this in some places so as Brecht says - this ends up becoming a large project we need to maintain, its not just some 1-2 week project to come up with a safe version of CPython. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. With drivers yes, further though I don't think many blend files need to execute code. -Ton- ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Sat, Jun 8, 2013 at 11:55 AM, Harley Acheson harley.ache...@gmail.comwrote: Something quite important has to happen in order to turn a one-to-one attack into a virus-like problem. As patient zero I get the first bad blend. It can't immediately do something bad to me or that is the end of the infection as I will not be able to infect anyone else. Instead it needs to make it so that any new files I create (and/or old ones) contain the same bad behavior. Otherwise it can't replicate. So isn't the answer simple? Just not allow a *script* to set any settings related to the auto-running of scripts? Unless it manipulates the to-be infected files directly. Old boot sector viruses could do what they needed in a few hundred bytes (if not far less) and only with basic BIOS/DOS services available.. Now compare that with what power a python script has at its disposal and try to imagine what it can't do. All that is needed is to get a [normally] trusted source of .blend files to open one infected file with autorun (due to overconfidence, being rushed, sleep deprivation, distracted by pets/kids/spouse, etc..) and now everyone using future releases of their trusted files are at high risk. This is Virus Propagation 101. Even that [presumed safe] commercial DVD of blender media isn't 100% immune to passing viruses along.. many years ago I worked somewhere in which there was a virus on the mouse driver floppy as-is from the computer vendor. While things like this are rare, they can happen (admittedly more so when virus scanners were uncommon/non-existent). -Chad ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Sun, Jun 9, 2013 at 12:15 AM, patrick boelens p_boel...@msn.com wrote: I consider such requests totally void of any meaning, because you simply have no way to find out what the consequences are of accepting the choice. If you don't accept it you cannot even use the .blend file nor use the DVD you paid for. I may be missing the obvious here, but I would imagine the typical use of this pop-up to go as follows: - Download potentially unsafe .blend. - Open file, get prompted - Choose to not run the scripts - Inspect included scripts in Text Blocks (add-ons have already been manually installed and thus approved by the user) - Reload the file with scripts enabled (or better yet: run the blocked scripts without reloading) if I conclude the scripts are safe. Sure, not everyone's a programmer that can inspect the scripts, but at some point I feel the responsibility lies with the users and with the sites offering the .blends to inform them of potential dangers, and not so much with the BF trying to create a super-safe environment. Super-safe in this case translating to crippled or unusable for some. I think you under estimate how easy it is to hide code in a blend file, at the risk of giving people bad ideas... - Add a driver some place the user wont see, (slow parent or so). - Make the driver exec() code stored in a fake-user, 3d-textblock which isn't visible in any 3d layer. - Then add some simple script which does something harmless/useful to allay user fear. There's nothing wrong with wanting to do a pre-emptive strike, but some of the measures mentioned are taking it too far IMHO. How do other 3D suites with embedded scripting handle this? Somehow I feel we're overthinking a problem that isn't really a problem (yet). Apparently they have exactly the same problem. I think the User Preference, along with an additional one to judge on a case-by-case basis would have the best trade-off between being inobtrusive and providing users with an additional layer of control and security. Just my two cents, Patrick From: t...@blender.org Date: Sat, 8 Jun 2013 13:23:26 +0200 To: bf-committers@blender.org Subject: Re: [Bf-committers] Please turn off Auto Run Python Scripts by default Hi Erwin, Put yourself in the position of someone who purchases the famous CGcookie animation training DVD. On loading the first tutorial file, Blender then throws a popup: This .blend file contains autorun scripts, do you want to run it? I consider such requests totally void of any meaning, because you simply have no way to find out what the consequences are of accepting the choice. If you don't accept it you cannot even use the .blend file nor use the DVD you paid for. This is not user control, it's blaming users for trying to get a working product. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 18:49, Erwin Coumans wrote: Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. I think you under-estimate Blender users. People are familiar with such a question, for example when using a web browser. I think it is good to give the user control. On 7 June 2013 09:26, Ton Roosendaal t...@blender.org wrote: Hi, Making autorun default off (and optional) is really a good start. But it's not enough. Especially requesters won't work well. Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. It's like a click on I agreed with the license. Only lawyers are interested in such - it moves liability to the user. Bad practice. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 18:15, Erwin Coumans wrote: I just want Blender to ask me at loading time, if I want to run scripts or not. Obviously option should be a user preference. At loading time you can then reply: 1) run script this time 2) don't run scripts this time 3) always run scripts and don't nag/ask me ever again 4) never run scripts and don't nag/ask me ever again That is a very simple starting point to better manage security I think. Thanks, Erwin On 7 June 2013 09:03, Ton Roosendaal t...@blender.org wrote: Hi Shrinidhi, Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? That's interesting to check, but I don't like to make users responsible for checking each .blend they want
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 6 Jun, 2013, at 20:13, Campbell Barton wrote: On Thu, Jun 6, 2013 at 6:47 PM, Ton Roosendaal t...@blender.org wrote: Hi, I think you give up too easily here. :) For example, we could also make a bpy.os module, and mark scripts that use this as 'trusted'. Scripts using the os.module itself then require a user to explicitly run it, or being embedded in a file marked trusted (own files etc). You know I already attempted this and have been shown by developers more expert in CPython internals then me, that CPython makes not effort to support such limitations and that is trivial to workaround them. You assume there is an effective way to control module importing (that we could even stop a script from using any of CPythons bundled modules - `os` included). I'd want good evidence this can be done, until someone shows this - I'll assume it can't. This is not to forbid using os module, it's to not make such scripts run automatic. The main issue would be first to sanitize our non-python writing code, make sure this goes more secured and controlled. Once that's in place, scripters can use that as well, and get free support for the features we use in Blender C code all over as well. -Ton- ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, Besides making Blender safer I think it is also important to make users more self aware of risks. Two humble propositions: - first run splash screen with something like: Thank you for choosing Blender. Beware of evil .blend files from unauthorised sources.. - small info beware of .blend files from unauthorised sources (under open button) when opening files with checkbox don't show anymore /Kuba W dniu 2013-06-07 11:21, Ton Roosendaal pisze: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 6 Jun, 2013, at 20:13, Campbell Barton wrote: On Thu, Jun 6, 2013 at 6:47 PM, Ton Roosendaal t...@blender.org wrote: Hi, I think you give up too easily here. :) For example, we could also make a bpy.os module, and mark scripts that use this as 'trusted'. Scripts using the os.module itself then require a user to explicitly run it, or being embedded in a file marked trusted (own files etc). You know I already attempted this and have been shown by developers more expert in CPython internals then me, that CPython makes not effort to support such limitations and that is trivial to workaround them. You assume there is an effective way to control module importing (that we could even stop a script from using any of CPythons bundled modules - `os` included). I'd want good evidence this can be done, until someone shows this - I'll assume it can't. This is not to forbid using os module, it's to not make such scripts run automatic. The main issue would be first to sanitize our non-python writing code, make sure this goes more secured and controlled. Once that's in place, scripters can use that as well, and get free support for the features we use in Blender C code all over as well. -Ton- ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, this is a bad idea (especially the first one). Adobe Reader also doesn't tell me on first start Thanks for using Adobe Reader, be aware of evil .pdfs. I bet inexperienced people will get afraid reading that and come to the conclusion, that this blend format is very insecure and shouldn't be used at all. I am sure we can improve security, without frightening our user base. ;) Thomas Am 07.06.2013 11:41, schrieb Jakub Zolcik: Hi, Besides making Blender safer I think it is also important to make users more self aware of risks. Two humble propositions: - first run splash screen with something like: Thank you for choosing Blender. Beware of evil .blend files from unauthorised sources.. - small info beware of .blend files from unauthorised sources (under open button) when opening files with checkbox don't show anymore /Kuba -- Thomas Dinges Blender Developer, Artist and Musician www.dingto.org ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On 06/07/2013 10:21 AM, Ton Roosendaal wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. oh = 'SOS HELP!' ohoh = __import__(oh[1:3].lower()) ohoh module 'os' from '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py' On Linux distros where system Python is used, I doubt anything can be done to prevent the import function from being used. Load Blender with a console, check there's the startup message on it. Then paste this into say the frame number field.. eval(__import__('os').system('clear'), {}) Now check console again.. Just checking scripts for imports isn't enough. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 12:08, Domino Marama wrote: On 06/07/2013 10:21 AM, Ton Roosendaal wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. oh = 'SOS HELP!' ohoh = __import__(oh[1:3].lower()) ohoh module 'os' from '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py' On Linux distros where system Python is used, I doubt anything can be done to prevent the import function from being used. Load Blender with a console, check there's the startup message on it. Then paste this into say the frame number field.. eval(__import__('os').system('clear'), {}) Now check console again.. Just checking scripts for imports isn't enough. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi Ton, Comments inline ;) Am 07.06.2013 um 13:12 schrieb Ton Roosendaal t...@blender.org: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first Sure but what if these scripters want do develop malicious code? We can't protect our users from those. We could try to implement a script signing authority for secure scripts though. But this a bit bloated IMHO ;) If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. I would appreciate a move to Lua, it's my personal favorite scripting language, but... All these useful and great scripts out there will have to be recoded. This will bring us the wrath of users and script coders. Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit. Good point! -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 12:08, Domino Marama wrote: On 06/07/2013 10:21 AM, Ton Roosendaal wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. oh = 'SOS HELP!' ohoh = __import__(oh[1:3].lower()) ohoh module 'os' from '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py' On Linux distros where system Python is used, I doubt anything can be done to prevent the import function from being used. Load Blender with a console, check there's the startup message on it. Then paste this into say the frame number field.. eval(__import__('os').system('clear'), {}) Now check console again.. Just checking scripts for imports isn't enough. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
If you want security by default then my suggestion is to just disable scripts by default on load. If the .blend file contains a script the info header can show a warning and button to reload the .blend file with scripts enabled. Realistically I think Python and the Blender Python API are just insecure, and that securing them is not feasible. We could however make it difficult enough to do this that only an expert could make malicious .blend files. That does mean we need to fork Python, create a sandbox implementation for Python 3.0, and audit the entire API for security issues, and then create a system where we make a distinction between secure and insecure scripts (as the latter will always be needed for some cases). I expect that would take 6-12 months of development time, along with continued work maintaining our own Python fork and keeping the BPY API secure. Switching to another language takes even more development time of course, and Python is basically the standard scripting language for 3D. Users often to own scripting, especially at small studios, and so I thinking saying users come before scripters in this case. Switching to a language like LUA which does not a similar ecosystem around the language would definitely affect users. On Fri, Jun 7, 2013 at 1:12 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 12:08, Domino Marama wrote: On 06/07/2013 10:21 AM, Ton Roosendaal wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. oh = 'SOS HELP!' ohoh = __import__(oh[1:3].lower()) ohoh module 'os' from '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py' On Linux distros where system Python is used, I doubt anything can be done to prevent the import function from being used. Load Blender with a console, check there's the startup message on it. Then paste this into say the frame number field.. eval(__import__('os').system('clear'), {}) Now check console again.. Just checking scripts for imports isn't enough. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On 07.06.2013 15:15, Brecht Van Lommel wrote: If you want security by default then my suggestion is to just disable scripts by default on load. If the .blend file contains a script the info header can show a warning and button to reload the .blend file with scripts enabled. As a user and developer, I think this sounds like a good approach. There could be an option in the preferences to always enable script loading, which is disabled by default. - Asbjørn ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Fri, Jun 7, 2013 at 4:42 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? The script can have a way to update a set of rules that marks the files safe or unsafe. May be blender institute can maintain a database and the script will auto-update the rules. People responsible for the python API can keep updating the database incrementally. Now why a different script? . 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. 2 : it can be run individually by the security conscious people . at least they will have a way to check if a blend file is evil or good . 3: for large deployments it can be run in batch mode to check multiple files at once . This way we can make the users happy . at least they will have a way to tell what the blend file is up to . In a studio we need not worry about it as there are proper user permissions and policies already implemented. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. This is not at all constructive! . Arguing against using python and replacing it with a crippled scripting language is as good as telling professional studios users to stop using blender directly. it will not help blender in anyway. first thing they see is how can data be interchanged between softwares . no studio will dump their existing softwares and start using blender entirely for all their production stages . blender should be able to communicate with other software and a restricted scripting language will not help blender or its users. as it is, i am already feeling crippled without a socket based command port in blender . there is no way to send a command to blender like opening files, linking etc! . well . this is not needed if we have only a blender specific pipeline. but if we want to keep our pipeline UI out of blender then its very useful Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit. A 3D creation tool without a powerfull scripting api is useless nowadays, at least for professional users. Users come first . yes.. i totally agree with you . but the users always improve and always want more out the software once they become aware that they can do certain things in blender . And the same users who wanted too much security will be annoyed by the same security measures once they come out of their hobbyist attitude and become scripters and coders. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 12:08, Domino Marama wrote: On 06/07/2013 10:21 AM, Ton Roosendaal wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. oh = 'SOS HELP!' ohoh = __import__(oh[1:3].lower()) ohoh module 'os' from '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py' On Linux distros where system Python is used, I doubt anything can be done to prevent the import function from being used. Load Blender with a console, check there's the startup message on it. Then paste this into say the frame number field.. eval(__import__('os').system('clear'), {}) Now check console again.. Just checking scripts for imports isn't enough. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Gaia had a very good suggestion that is overlooked, so I repeat his email: Currently we only have 2 options: - trust everybody (default) - trust nobody (use the -Y commandline parameter. We need the third option, selectively enable scripts, at loading time. - i care: ask me case by case Why not just add in User preferences: [ ] Auto run scripts (we have this already) [X] Ask for autorun on load if general Autorun is disabled This would solve all purposes. Thanks, Erwin On 7 June 2013 07:37, Shrinidhi Rao shrinidhi...@gmail.com wrote: On Fri, Jun 7, 2013 at 4:42 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? The script can have a way to update a set of rules that marks the files safe or unsafe. May be blender institute can maintain a database and the script will auto-update the rules. People responsible for the python API can keep updating the database incrementally. Now why a different script? . 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. 2 : it can be run individually by the security conscious people . at least they will have a way to check if a blend file is evil or good . 3: for large deployments it can be run in batch mode to check multiple files at once . This way we can make the users happy . at least they will have a way to tell what the blend file is up to . In a studio we need not worry about it as there are proper user permissions and policies already implemented. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. This is not at all constructive! . Arguing against using python and replacing it with a crippled scripting language is as good as telling professional studios users to stop using blender directly. it will not help blender in anyway. first thing they see is how can data be interchanged between softwares . no studio will dump their existing softwares and start using blender entirely for all their production stages . blender should be able to communicate with other software and a restricted scripting language will not help blender or its users. as it is, i am already feeling crippled without a socket based command port in blender . there is no way to send a command to blender like opening files, linking etc! . well . this is not needed if we have only a blender specific pipeline. but if we want to keep our pipeline UI out of blender then its very useful Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit. A 3D creation tool without a powerfull scripting api is useless nowadays, at least for professional users. Users come first . yes.. i totally agree with you . but the users always improve and always want more out the software once they become aware that they can do certain things in blender . And the same users who wanted too much security will be annoyed by the same security measures once they come out of their hobbyist attitude and become scripters and coders. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 12:08, Domino Marama wrote: On 06/07/2013 10:21 AM, Ton Roosendaal wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. oh = 'SOS HELP!' ohoh = __import__(oh[1:3].lower()) ohoh module 'os' from '/home/domino/Applications/blender-2.67-linux-glibc211-x86_64/2.67/python/lib/python3.3/os.py' On Linux
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
I still maintain that this an attempt to deal with what is only a (hypothetical) one-to-one attack. This is not like a Word macro or virus-infected exe which results in a one-many-many attack. One-to-one attacks aren't worth dealing with since the damage doesn't spread outward from the attacked. There are uncountable ways of one person attacking one other. I'd probably just embed the file icon for Blender into a new executable and name it bunny.blend.exe... Harley ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, I don't think I understand what you're saying here. Sorry wasn't clear, I referred to auto-run of scripts. If a user installs an add-on, then it's at least a concious decision to use it. The source of add-on is known, and a user can decide to stick to official released ones. That's secure enough. I think the idea that you can somehow quickly reduce the problem to a useful subset of Python and the Blender API is flawed. I don't agree, for me 'security' here would mean at the same level we apply for our C code now. Better security then can be done step by step. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 16:33, Brecht Van Lommel wrote: On Fri, Jun 7, 2013 at 4:02 PM, Ton Roosendaal t...@blender.org wrote: If you want security by default then my suggestion is to just disable scripts by default on load. If the .blend file contains a script the info header can show a warning and button to reload the .blend file with scripts enabled. Sounds OK - I also need to know how this works for add-ons then. If our standard is to have scripts require this registration as add-on first, we have a built-in security as well. Activate once, then use. In order to declare a python script safe we need a trusted developer to approve it manually. I think that's what the bf-extensions repository is for, addons that are there can be considered secure? But I don't think I understand what you're saying here. It does not seem to be particularly useful to me to distinguish between secure and insecure addons not in our repository, as maybe half of them need disk access anyway. Realistically I think Python and the Blender Python API are just insecure, and that securing them is not feasible. We could however make it difficult enough to do this that only an expert could make malicious .blend files. That does mean we need to fork Python, create a sandbox implementation for Python 3.0, and audit the entire API for security issues, and then create a system where we make a distinction between secure and insecure scripts (as the latter will always be needed for some cases). I expect that would take 6-12 months of development time, along with continued work maintaining our own Python fork and keeping the BPY API secure. This development should be done by Python.org then. Blender is not the only Python embedded project who would love to see attention for such topics. A year of development time would be feasible to organize sponsoring for. Autodesk hint hint! Besides that - I think you make a logical mistake in the reasoning. We don't need to make a complete secure Python for everything. We just want safe ways of running scripts in Blender. Reduce the problem first, then tackle it. And then - in the end - check on how to enable adminstrators to manage their harddrives. I think the idea that you can somehow quickly reduce the problem to a useful subset of Python and the Blender API is flawed. If you disable anything that's potentially insecure you're not left with much, as calling operators, changing keybindings, add/replacing buttons in the UI, driver setups, editing user preferences, creating modifiers and nodes that write to disk, ... can all be exploited. I think it will take a bunch of time to make those secure one by one before you'd be able to write useful secure scripts again. Brecht. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi Shrinidhi, Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? That's interesting to check, but I don't like to make users responsible for checking each .blend they want to load. My preference is a way that's relatively safe and works out of the box for everyone (except system administrators :). 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. That is only true if we stick to how it works now. We can find ways to either force scripts to become add-ons or to mark .blend files or scripts as trusted for own use and studios. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 16:37, Shrinidhi Rao wrote: On Fri, Jun 7, 2013 at 4:42 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? The script can have a way to update a set of rules that marks the files safe or unsafe. May be blender institute can maintain a database and the script will auto-update the rules. People responsible for the python API can keep updating the database incrementally. Now why a different script? . 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. 2 : it can be run individually by the security conscious people . at least they will have a way to check if a blend file is evil or good . 3: for large deployments it can be run in batch mode to check multiple files at once . This way we can make the users happy . at least they will have a way to tell what the blend file is up to . In a studio we need not worry about it as there are proper user permissions and policies already implemented. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. This is not at all constructive! . Arguing against using python and replacing it with a crippled scripting language is as good as telling professional studios users to stop using blender directly. it will not help blender in anyway. first thing they see is how can data be interchanged between softwares . no studio will dump their existing softwares and start using blender entirely for all their production stages . blender should be able to communicate with other software and a restricted scripting language will not help blender or its users. as it is, i am already feeling crippled without a socket based command port in blender . there is no way to send a command to blender like opening files, linking etc! . well . this is not needed if we have only a blender specific pipeline. but if we want to keep our pipeline UI out of blender then its very useful Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit. A 3D creation tool without a powerfull scripting api is useless nowadays, at least for professional users. Users come first . yes.. i totally agree with you . but the users always improve and always want more out the software once they become aware that they can do certain things in blender . And the same users who wanted too much security will be annoyed by the same security measures once they come out of their hobbyist attitude and become scripters and coders. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 12:08, Domino Marama wrote: On 06/07/2013 10:21 AM, Ton Roosendaal wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
I just want Blender to ask me at loading time, if I want to run scripts or not. Obviously option should be a user preference. At loading time you can then reply: 1) run script this time 2) don't run scripts this time 3) always run scripts and don't nag/ask me ever again 4) never run scripts and don't nag/ask me ever again That is a very simple starting point to better manage security I think. Thanks, Erwin On 7 June 2013 09:03, Ton Roosendaal t...@blender.org wrote: Hi Shrinidhi, Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? That's interesting to check, but I don't like to make users responsible for checking each .blend they want to load. My preference is a way that's relatively safe and works out of the box for everyone (except system administrators :). 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. That is only true if we stick to how it works now. We can find ways to either force scripts to become add-ons or to mark .blend files or scripts as trusted for own use and studios. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 16:37, Shrinidhi Rao wrote: On Fri, Jun 7, 2013 at 4:42 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? The script can have a way to update a set of rules that marks the files safe or unsafe. May be blender institute can maintain a database and the script will auto-update the rules. People responsible for the python API can keep updating the database incrementally. Now why a different script? . 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. 2 : it can be run individually by the security conscious people . at least they will have a way to check if a blend file is evil or good . 3: for large deployments it can be run in batch mode to check multiple files at once . This way we can make the users happy . at least they will have a way to tell what the blend file is up to . In a studio we need not worry about it as there are proper user permissions and policies already implemented. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. This is not at all constructive! . Arguing against using python and replacing it with a crippled scripting language is as good as telling professional studios users to stop using blender directly. it will not help blender in anyway. first thing they see is how can data be interchanged between softwares . no studio will dump their existing softwares and start using blender entirely for all their production stages . blender should be able to communicate with other software and a restricted scripting language will not help blender or its users. as it is, i am already feeling crippled without a socket based command port in blender . there is no way to send a command to blender like opening files, linking etc! . well . this is not needed if we have only a blender specific pipeline. but if we want to keep our pipeline UI out of blender then its very useful Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit. A 3D creation tool without a powerfull scripting api is useless nowadays, at least for professional users. Users come first . yes.. i totally agree with you . but the users always improve and always want more out the software once they become aware that they can do certain things in blender . And the same users who wanted too much security will be annoyed by the same security measures once they come out of their hobbyist attitude and become scripters and coders. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun,
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, Making autorun default off (and optional) is really a good start. But it's not enough. Especially requesters won't work well. Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. It's like a click on I agreed with the license. Only lawyers are interested in such - it moves liability to the user. Bad practice. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 18:15, Erwin Coumans wrote: I just want Blender to ask me at loading time, if I want to run scripts or not. Obviously option should be a user preference. At loading time you can then reply: 1) run script this time 2) don't run scripts this time 3) always run scripts and don't nag/ask me ever again 4) never run scripts and don't nag/ask me ever again That is a very simple starting point to better manage security I think. Thanks, Erwin On 7 June 2013 09:03, Ton Roosendaal t...@blender.org wrote: Hi Shrinidhi, Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? That's interesting to check, but I don't like to make users responsible for checking each .blend they want to load. My preference is a way that's relatively safe and works out of the box for everyone (except system administrators :). 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. That is only true if we stick to how it works now. We can find ways to either force scripts to become add-ons or to mark .blend files or scripts as trusted for own use and studios. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 16:37, Shrinidhi Rao wrote: On Fri, Jun 7, 2013 at 4:42 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? The script can have a way to update a set of rules that marks the files safe or unsafe. May be blender institute can maintain a database and the script will auto-update the rules. People responsible for the python API can keep updating the database incrementally. Now why a different script? . 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. 2 : it can be run individually by the security conscious people . at least they will have a way to check if a blend file is evil or good . 3: for large deployments it can be run in batch mode to check multiple files at once . This way we can make the users happy . at least they will have a way to tell what the blend file is up to . In a studio we need not worry about it as there are proper user permissions and policies already implemented. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. This is not at all constructive! . Arguing against using python and replacing it with a crippled scripting language is as good as telling professional studios users to stop using blender directly. it will not help blender in anyway. first thing they see is how can data be interchanged between softwares . no studio will dump their existing softwares and start using blender entirely for all their production stages . blender should be able to communicate with other software and a restricted scripting language will not help blender or its users. as it is, i am already feeling crippled without a socket based command port in blender . there is no way to send a command to blender like opening files, linking etc! . well . this is not needed if we have only a blender specific pipeline. but if we want to keep our pipeline UI out of blender then its very useful Let it be clear: we're making Blender here, which is meant to be a 3D creation tool. It's not a Python development environment. Users come first, scripters and coders second. So... stop being smartasses and think constructive a bit. A 3D creation tool without a powerfull scripting api is useless nowadays, at least for professional users. Users
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. I think you under-estimate Blender users. People are familiar with such a question, for example when using a web browser. I think it is good to give the user control. On 7 June 2013 09:26, Ton Roosendaal t...@blender.org wrote: Hi, Making autorun default off (and optional) is really a good start. But it's not enough. Especially requesters won't work well. Nearly every person who gets the menu Do you want to run this script wouldn't know what to anwser. It's like a click on I agreed with the license. Only lawyers are interested in such - it moves liability to the user. Bad practice. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 18:15, Erwin Coumans wrote: I just want Blender to ask me at loading time, if I want to run scripts or not. Obviously option should be a user preference. At loading time you can then reply: 1) run script this time 2) don't run scripts this time 3) always run scripts and don't nag/ask me ever again 4) never run scripts and don't nag/ask me ever again That is a very simple starting point to better manage security I think. Thanks, Erwin On 7 June 2013 09:03, Ton Roosendaal t...@blender.org wrote: Hi Shrinidhi, Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? That's interesting to check, but I don't like to make users responsible for checking each .blend they want to load. My preference is a way that's relatively safe and works out of the box for everyone (except system administrators :). 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. That is only true if we stick to how it works now. We can find ways to either force scripts to become add-ons or to mark .blend files or scripts as trusted for own use and studios. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 16:37, Shrinidhi Rao wrote: On Fri, Jun 7, 2013 at 4:42 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? The script can have a way to update a set of rules that marks the files safe or unsafe. May be blender institute can maintain a database and the script will auto-update the rules. People responsible for the python API can keep updating the database incrementally. Now why a different script? . 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. 2 : it can be run individually by the security conscious people . at least they will have a way to check if a blend file is evil or good . 3: for large deployments it can be run in batch mode to check multiple files at once . This way we can make the users happy . at least they will have a way to tell what the blend file is up to . In a studio we need not worry about it as there are proper user permissions and policies already implemented. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. This is not at all constructive! . Arguing against using python and replacing it with a crippled scripting language is as good as telling professional studios users to stop using blender directly. it will not help blender in anyway. first thing they see is how can data be interchanged between softwares . no studio will dump their existing softwares and start using blender entirely for all their production stages . blender should be able to communicate with other software and a restricted scripting language will not help blender or its users. as it is, i am already feeling crippled without a socket based command port in blender . there is no way to send a command to blender like opening files, linking etc! . well . this is not needed if we have only a blender specific pipeline. but if we
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Fri, Jun 7, 2013 at 7:21 PM, Ton Roosendaal t...@blender.org wrote: Hi Campbell, I don't know enough about Python internals, so I depend on someone to help designing a sane way to handle security risks here. There must be ways we can help users? So far I can only see the way to help users is limited to them running executable code bundled with a blend, or not. (as has been discussed) Look for example at the standard UI scripts. Apart from 1 case, there's no import os anywhere. Same goes for essential scripts riggers or animators use. So, why not add a provision in Blender code to check on such cases. Just don't allow import of any module = safe script? In all other cases: needs to be explicitly permitted to run. Limiting module access is just really hard to do... this isn't about being a smart-arse, its just that the way CPython works makes this near impossible unless you remove the functionality altogether. Even if importing of modules is disabled you can use namespace tricks to access modules. eg: os = next(iter(i for i in (1).__class__.__mro__[-1].__subclasses__() if i.__name__ == '_ZipDecrypter'))._UpdateKeys.__globals__[so[::-1]] Of course you can start to disable CPythons own introspection then this could be disabled but Blender currently takes advantage of this in some places so as Brecht says - this ends up becoming a large project we need to maintain, its not just some 1-2 week project to come up with a safe version of CPython. Something like this would make a trusted source option on file loading more useful. Right now, unticking trusted source is almost equivalent to disable useful features. With drivers yes, further though I don't think many blend files need to execute code. -Ton- ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
That's interesting to check, but I don't like to make users responsible for checking each .blend they want to load. My preference is a way that's relatively safe and works out of the box for everyone (except system administrators :). what if we can make it a feature of blender itself and on by default. it will check the blend file and will display a start up msg if there are known security holes and asks the user if he wants to open it . may be the option to ignore the risks can be local to a blend file so next time its opened it doesnt annoy the user. also having a cli option to disable the feature would be handy :) ... (not talking about the auto-run scripts option) one way to implement this is generate a key when the user runs blender for the first time. blender will check the blend file and determine if its legit according to the key (local files will already have the installed key from local blender). if not it will annoy the user with the risks involved . if user finds it safe he can ignore it for the rest of the blend files life . All this can happen in the background without users intervention. This way we dont have to hack and slash CPython and make it unusable . let python be We just have to invest time on creating a modular base system to find bad code in .blend files . it can be based on rules that can be improved with time . IIRC in my previous workplace we had a similar kind of system to check for malicious lines and bad practices in perl scripts -- regards - shrinidhi Even god fails to understand a human until his death! http://www.linkedin.com/in/shrinidhi666 https://github.com/shrinidhi666 http://www.imdb.com/name/nm3025616 ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Fri, Jun 7, 2013 at 2:48 AM, Thomas Dinges blen...@dingto.org wrote: Hi, this is a bad idea (especially the first one). Adobe Reader also doesn't tell me on first start Thanks for using Adobe Reader, be aware of evil .pdfs. I bet inexperienced people will get afraid reading that and come to the conclusion, that this blend format is very insecure and shouldn't be used at all. I am sure we can improve security, without frightening our user base. ;) While the threat exists and is trivial to exploit, maybe users _should_ be afraid. :\ Imagine if users had been more wary about opening emails from unknown sources, that the I Love You virus wouldn't have run a muck as badly (and this doesn't even accounting all the other attachments blindly opened by users). I'm not saying that blind fear (and not being unable to tell the difference of what to be afraid of) is any good.. but when the alternative is highly vulnerable ignorance, which is worse. Sure.. users can turn it off in their preferences (and load window?), but only if they know the threat exists to begin with. I have the feeling that most novice/intermediate users of blender think of the .blend files no differently than a text or JPEG file. That it isn't a program that can do just about anything it likes beyond the editor (baring an un-intentional bug in the viewer/editor like a buffer overflow vulnerability), but simply 3D modeling data. I mean realistically, how hard would it be for someone with a little too much [spare] time on their hands to write a python autorun script that scans for other .blend files and infects them with copies of itself (including a malicious payload presumably)? -- Lets just hope NOBODY takes that as a challenge. =| Anyone that thinks turning users off because of blender being too nagging is a problem, just wait until some mass infection spreads through the community.. then you'll see users turned off _and_ pissed. Did we learn nothing from Microsoft's convenience over security mistakes? -Chad ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
This is the best I think one can hope for given the limitations of CPython and, honestly, all I really desire from Blender in this regard. Like Microsoft's infamous macros, because of the way in which the language/platform is put together (Python, not Blender) there is not levels of security. It's all or nothing once you start running the script. Once code can be run, it is relatively trivial to work around standard checks for importing unsafe modules (like 'os'). CPython was designed as the platform on which programs are run. Like with the C/C++ 'platform', it provides access to everything one might need for whatever program you want to code up in the language. To protect access to parts of the functionality in Python whilst keeping access to others, you need to either hack CPython or replace it. This isn't smart-assery on anyone's part - it's the conclusion reached by a variety of studies/projects attempting it. As mentioned previously, Python was designed for developers to *extend*, not for safety when *embedded*. I'd be more than happy with the features Erwin proposes. It gives me the security of not running scripts automagically on startup and if I choose to run the scripts in text-blocks, I've explicitly given the script permission. -- Benjamin Tolputt On 08/06/2013, at 2:15 AM, Erwin Coumans wrote: I just want Blender to ask me at loading time, if I want to run scripts or not. Obviously option should be a user preference. At loading time you can then reply: 1) run script this time 2) don't run scripts this time 3) always run scripts and don't nag/ask me ever again 4) never run scripts and don't nag/ask me ever again That is a very simple starting point to better manage security I think. Thanks, Erwin On 7 June 2013 09:03, Ton Roosendaal t...@blender.org wrote: Hi Shrinidhi, Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? That's interesting to check, but I don't like to make users responsible for checking each .blend they want to load. My preference is a way that's relatively safe and works out of the box for everyone (except system administrators :). 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. That is only true if we stick to how it works now. We can find ways to either force scripts to become add-ons or to mark .blend files or scripts as trusted for own use and studios. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 7 Jun, 2013, at 16:37, Shrinidhi Rao wrote: On Fri, Jun 7, 2013 at 4:42 PM, Ton Roosendaal t...@blender.org wrote: Hi all Pythoneers, Scripters are important for Blender, but just like the C developers they have a responsibility for users out there. A good proposal for security has to come from you as experts first. Why not have a script that ships with blender, which can be run individually, which checks the blender file for scripts and informs the user if it is malicious or safe ? The script can have a way to update a set of rules that marks the files safe or unsafe. May be blender institute can maintain a database and the script will auto-update the rules. People responsible for the python API can keep updating the database incrementally. Now why a different script? . 1 : Changing blenders default behavior for running scripts is like killing a few scripters in studios using blender. 2 : it can be run individually by the security conscious people . at least they will have a way to check if a blend file is evil or good . 3: for large deployments it can be run in batch mode to check multiple files at once . This way we can make the users happy . at least they will have a way to tell what the blend file is up to . In a studio we need not worry about it as there are proper user permissions and policies already implemented. If this discussion just leads to marking every idea as impossible (Python is insecure by design) then we should have a big problem with keeping Python in Blender. Fork it, sandbox it, or move to LUA. This is not at all constructive! . Arguing against using python and replacing it with a crippled scripting language is as good as telling professional studios users to stop using blender directly. it will not help blender in anyway. first thing they see is how can data be interchanged between softwares . no studio will dump their existing softwares and start using blender entirely for all their production stages . blender should be able to communicate with other software and a restricted scripting language will not help blender or its
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, I think you give up too easily here. :) For example, we could also make a bpy.os module, and mark scripts that use this as 'trusted'. Scripts using the os.module itself then require a user to explicitly run it, or being embedded in a file marked trusted (own files etc). This is not to forbid using os module, it's to not make such scripts run automatic. The main issue would be first to sanitize our non-python writing code, make sure this goes more secured and controlled. Once that's in place, scripters can use that as well, and get free support for the features we use in Blender C code all over as well. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 19:55, Campbell Barton wrote: Hacked os module isn't really an option, Python uses this for its internal operations all over the place - a lot of python modules are written in Python so these would break. In python3.3 module dir... find -name *.py | xargs grep \bos\. | wc -l -- 7833 Attempting to let Python do its own thing but sandbox Blender scripts also cant work well, In the BGE we did have some basic security (disable some modules open()... iirc), But this is trivially easy to workaround - as in one line of python to get access to the real modules/functions. The only way I could see this working would be to do this on a libc level - replacing pythons own calls to open() / fopen() etc. But this also gives high risk of breaking Python its self. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi Jace, I am not talking about your use case. You should be able to code whatever you like. However, when it comes to the binaries and software we release for everyone, I expect developers to accept some responsibilities here. We try to keep up with a high standard for C/C++ developers for Blender, and same would go for Python scripts we bundle with, and especially for how we provide facilities for running scripts for users who don't code Python. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 21:21, Jace Priester wrote: Another +1 for not changing the OS module, or anything else for that matter. I use lots of python system-related modules, including OS, in my import/export/interop pipeline. If it is broken I will most likely not be using blender anymore (seriously). Additionally, I don't believe security in blend files is an issue anyway. If you have accepted a file from an untrusted source and opened it, YOU are the security risk, not the program you opened it with. AVIs, DOCs, and various other data files have had and still do have security risks associated with them (whether internal scripts are allowed to run or not). This problem is certainly not unique to blend files, and certainly not due solely to the fact that blender allows python scripts to run. This is a non-issue. The Trusted Source checkbox is a nice feature, I guess, but realistically I've never used it because I want all blends to open and work as intended by the creator. If I think it might be a malicious file, I don't accept it in the first place. That's where security starts, and ultimately ends. On Wed, Jun 5, 2013 at 10:55 AM, Campbell Barton ideasma...@gmail.comwrote: Hacked os module isn't really an option, Python uses this for its internal operations all over the place - a lot of python modules are written in Python so these would break. In python3.3 module dir... find -name *.py | xargs grep \bos\. | wc -l -- 7833 Attempting to let Python do its own thing but sandbox Blender scripts also cant work well, In the BGE we did have some basic security (disable some modules open()... iirc), But this is trivially easy to workaround - as in one line of python to get access to the real modules/functions. The only way I could see this working would be to do this on a libc level - replacing pythons own calls to open() / fopen() etc. But this also gives high risk of breaking Python its self. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- -- Jace Priester Threespace Imaging jacepries...@threespaceimaging.com 559-284-0904 -- ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Tue, Jun 4, 2013 at 11:40 PM, Campbell Barton ideasma...@gmail.com wrote: To avoid further threads on this topic added a section to our developer FAQ. http://wiki.blender.org/index.php/Dev:Doc/FAQ#How_Does_Blender_Deal_with_Security.3F Thank you for taking an action. The section you added gives a clear explanation of the stance of developers that they accept the risk of opening an untrusted blend file. Although a section in the *developer* FAQ is probably not read by many users, I think it is good as a first step toward communicating the risk to users. Even if users have to accept some risk when they open downloaded blend files, I hope this risk can be reduced by improving Blender in some way. But beyond this intuitive level, I cannot follow the discussion, so I will leave the discussion to people who know the matter well. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, The section you added gives a clear explanation of the stance of developers that they accept the risk of opening an untrusted blend file. That's not really true, it only explains how things work currently. I still aim for finding decent ways to better handle this risk. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 6 Jun, 2013, at 12:57, Yu Asakusa wrote: On Tue, Jun 4, 2013 at 11:40 PM, Campbell Barton ideasma...@gmail.com wrote: To avoid further threads on this topic added a section to our developer FAQ. http://wiki.blender.org/index.php/Dev:Doc/FAQ#How_Does_Blender_Deal_with_Security.3F Thank you for taking an action. The section you added gives a clear explanation of the stance of developers that they accept the risk of opening an untrusted blend file. Although a section in the *developer* FAQ is probably not read by many users, I think it is good as a first step toward communicating the risk to users. Even if users have to accept some risk when they open downloaded blend files, I hope this risk can be reduced by improving Blender in some way. But beyond this intuitive level, I cannot follow the discussion, so I will leave the discussion to people who know the matter well. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
The section you added gives a clear explanation of the stance of developers that they accept the risk of opening an untrusted blend file. That's not really true, it only explains how things work currently. I still aim for finding decent ways to better handle this risk. My apologies. I meant that the section explains the stance of developers so far which resulted in the current code, and therefore it explains the risk of the current code clearly. Things can change in the future, and I know you are trying to handle the risk in a better way. Although I cannot join the technical discussions, thank you for taking the initiative in resolving this issue better! Regards, Yu On Thu, Jun 6, 2013 at 7:08 AM, Ton Roosendaal t...@blender.org wrote: Hi, The section you added gives a clear explanation of the stance of developers that they accept the risk of opening an untrusted blend file. That's not really true, it only explains how things work currently. I still aim for finding decent ways to better handle this risk. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 6 Jun, 2013, at 12:57, Yu Asakusa wrote: On Tue, Jun 4, 2013 at 11:40 PM, Campbell Barton ideasma...@gmail.com wrote: To avoid further threads on this topic added a section to our developer FAQ. http://wiki.blender.org/index.php/Dev:Doc/FAQ#How_Does_Blender_Deal_with_Security.3F Thank you for taking an action. The section you added gives a clear explanation of the stance of developers that they accept the risk of opening an untrusted blend file. Although a section in the *developer* FAQ is probably not read by many users, I think it is good as a first step toward communicating the risk to users. Even if users have to accept some risk when they open downloaded blend files, I hope this risk can be reduced by improving Blender in some way. But beyond this intuitive level, I cannot follow the discussion, so I will leave the discussion to people who know the matter well. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Thu, Jun 6, 2013 at 6:47 PM, Ton Roosendaal t...@blender.org wrote: Hi, I think you give up too easily here. :) For example, we could also make a bpy.os module, and mark scripts that use this as 'trusted'. Scripts using the os.module itself then require a user to explicitly run it, or being embedded in a file marked trusted (own files etc). You know I already attempted this and have been shown by developers more expert in CPython internals then me, that CPython makes not effort to support such limitations and that is trivial to workaround them. You assume there is an effective way to control module importing (that we could even stop a script from using any of CPythons bundled modules - `os` included). I'd want good evidence this can be done, until someone shows this - I'll assume it can't. This is not to forbid using os module, it's to not make such scripts run automatic. The main issue would be first to sanitize our non-python writing code, make sure this goes more secured and controlled. Once that's in place, scripters can use that as well, and get free support for the features we use in Blender C code all over as well. -Ton- ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Thu, Jun 6, 2013 at 11:13 AM, Campbell Barton ideasma...@gmail.comwrote: On Thu, Jun 6, 2013 at 6:47 PM, Ton Roosendaal t...@blender.org wrote: I think you give up too easily here. :) For example, we could also make a bpy.os module, and mark scripts that use this as 'trusted'. Scripts using the os.module itself then require a user to explicitly run it, or being embedded in a file marked trusted (own files etc). You know I already attempted this and have been shown by developers more expert in CPython internals then me, that CPython makes not effort to support such limitations and that is trivial to workaround them. You assume there is an effective way to control module importing (that we could even stop a script from using any of CPythons bundled modules - `os` included). I'd want good evidence this can be done, until someone shows this - I'll assume it can't. https://pypi.python.org/pypi/pysandbox/ ? ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On 07/06/2013, at 4:13 AM, Campbell Barton wrote: On Thu, Jun 6, 2013 at 6:47 PM, Ton Roosendaal t...@blender.org wrote: Hi, I think you give up too easily here. :) For example, we could also make a bpy.os module, and mark scripts that use this as 'trusted'. Scripts using the os.module itself then require a user to explicitly run it, or being embedded in a file marked trusted (own files etc). You know I already attempted this and have been shown by developers more expert in CPython internals then me, that CPython makes not effort to support such limitations and that is trivial to workaround them. You assume there is an effective way to control module importing (that we could even stop a script from using any of CPythons bundled modules - `os` included). I'd want good evidence this can be done, until someone shows this - I'll assume it can't. I'm one of the folks who originally agitated for a more secure Blender last time this subject came up and, much as I hate to say it, Campbell has a point. Python is insecure by design. It is a consequence of Python's don't embed, extend mindset that has guided their development for over a decade. It sucks and wouldn't have happened if a scripting language designed for embedding (like Lua, AngelScript, etc) had been chosen upfront, but we're well beyond the point of choosing a more secure language - Python is the language behind Blender and we have to deal with the situation as it stands. With that acknowledgement in mind, I don't see a good argument against disabling Python when opening blend file by default (with warning in the header). Yes, I acknowledge that as soon as any Python code in the file is run (be it in a driver, in an autorun text block, whatever), you have breached whatever security Blender can provide and all the Python libraries are now accessible to the untrusted blend file, but there is nothing to say we HAVE to run those Python snippets automatically. Why is there such pressure against the ability to, as a UI accessible option, have blend files load without running their Python drivers, text blocks, etc automatically? Macros in Microsoft's Office have the same problems we do (once you allow them to run, they can own your system) and they solve it through the very simple mechanism of informing and allowing the user not to run said macros on loading. If the modal dialog UI concept is not going to be allowed in Blender, then the next best thing is to load with Python script (from the blend) disabled by default with a clear warning/message indicating such. Just because perfect security is beyond the reach of a script-enabled, Python-based application doesn't mean we should reject the low hanging fruit of enabling users to decide whether they want to run embedded scripts or not. -- Benjamin Tolputt Bent Solutions Pty Ltd ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Fri, Jun 7, 2013 at 8:09 AM, Chad Fraleigh ch...@triularity.org wrote: On Thu, Jun 6, 2013 at 11:13 AM, Campbell Barton ideasma...@gmail.comwrote: On Thu, Jun 6, 2013 at 6:47 PM, Ton Roosendaal t...@blender.org wrote: I think you give up too easily here. :) For example, we could also make a bpy.os module, and mark scripts that use this as 'trusted'. Scripts using the os.module itself then require a user to explicitly run it, or being embedded in a file marked trusted (own files etc). You know I already attempted this and have been shown by developers more expert in CPython internals then me, that CPython makes not effort to support such limitations and that is trivial to workaround them. You assume there is an effective way to control module importing (that we could even stop a script from using any of CPythons bundled modules - `os` included). I'd want good evidence this can be done, until someone shows this - I'll assume it can't. https://pypi.python.org/pypi/pysandbox/ ? Yep, I'm aware of this however it's more on experimental level from what I can tell. It requires a patched CPython, since the requested pep-416 was rejected by Guido. The main issue with pysandbox is that CPython are not maintaining, and changes to CPython may break it, if it was more actively used/maintained (as with stackless-python), then it would be more reassuring but the project isn't that active so relying on it as a long term plan isn't wise IMHO. -- - Campbell ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
As a normal hobby users, the biggest risk that I see is downloading a blend from the net and opening it. This is not something we are likely to give up. So, warning or not, what good is it? I need some way to know if the file is good or bad. I don't see an answer. I would say a good third of the users or more download blends for learning at least and often for producing their own stuff. -- Douglas E Knapp Creative Commons Film Group, Helping people make open source movies with open source software! http://douglas.bespin.org/CommonsFilmGroup/phpBB3/index.php Massage in Gelsenkirchen-Buer: http://douglas.bespin.org/tcm/ztab1.htm Please link to me and trade links with me! Open Source Sci-Fi mmoRPG Game project. http://sf-journey-creations.wikispot.org/Front_Page http://code.google.com/p/perspectiveproject/ ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Wed, Jun 5, 2013 at 8:03 AM, Knapp magick.c...@gmail.com wrote: As a normal hobby users, the biggest risk that I see is downloading a blend from the net and opening it. This is not something we are likely to give up. So, warning or not, what good is it? I need some way to know if the file is good or bad. I don't see an answer. I would say a good third of the users or more download blends for learning at least and often for producing their own stuff. What might be much more useful is a program that load a blend and tell me what it might do. For example, does it run scripts, does it have crazy large data sets? If it runs scripts then it should be able to show me them. It should look at the data sizes that the blend will use and make guesses if it is too large. Naturally it should only open the blend as data and not as blender would. -- Douglas E Knapp Creative Commons Film Group, Helping people make open source movies with open source software! http://douglas.bespin.org/CommonsFilmGroup/phpBB3/index.php Massage in Gelsenkirchen-Buer: http://douglas.bespin.org/tcm/ztab1.htm Please link to me and trade links with me! Open Source Sci-Fi mmoRPG Game project. http://sf-journey-creations.wikispot.org/Front_Page http://code.google.com/p/perspectiveproject/ ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Wed, Jun 5, 2013 at 4:21 PM, Knapp magick.c...@gmail.com wrote: On Wed, Jun 5, 2013 at 8:03 AM, Knapp magick.c...@gmail.com wrote: As a normal hobby users, the biggest risk that I see is downloading a blend from the net and opening it. This is not something we are likely to give up. So, warning or not, what good is it? I need some way to know if the file is good or bad. I don't see an answer. I would say a good third of the users or more download blends for learning at least and often for producing their own stuff. What might be much more useful is a program that load a blend and tell me what it might do. For example, does it run scripts, does it have crazy large data sets? If it runs scripts then it should be able to show me them. It should look at the data sizes that the blend will use and make guesses if it is too large. Naturally it should only open the blend as data and not as blender would. -- Douglas E Knapp Such a tool isn't so hard to write, see this python module which loads up blend files without using blender. http://blender-aid.googlecode.com/svn/trunk/src/blendfile.py ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, I've checked some history of past discussions (including sandboxing Python) and to me it seems we still accept too much risk here. As a team (and for me as Blender Foundation chairman) I feel it's a big responsibility to not waive away so easily. More over - it's a disaster waiting to be happening one day. It would be unforgivable if we didn't at least help users to have a basic security in place. The discussion is also getting too much complicated by knowledgable people who point out that there's always another vulnerability or other methods to bypass any security feature. IMHO that's irrelevant, should never be a reason to ignore it altogether. We should be able to bring down this topic to a basic and sensible minimal protection we provide for users. Can we form some kindof workgroup to investigate it further and define a proposal for actions? Or a roadmap? And: is there a consensis to make the default startup install have 'autorun' disabled, with a notifier in the top header about it? -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 8:25, Campbell Barton wrote: On Wed, Jun 5, 2013 at 4:21 PM, Knapp magick.c...@gmail.com wrote: On Wed, Jun 5, 2013 at 8:03 AM, Knapp magick.c...@gmail.com wrote: As a normal hobby users, the biggest risk that I see is downloading a blend from the net and opening it. This is not something we are likely to give up. So, warning or not, what good is it? I need some way to know if the file is good or bad. I don't see an answer. I would say a good third of the users or more download blends for learning at least and often for producing their own stuff. What might be much more useful is a program that load a blend and tell me what it might do. For example, does it run scripts, does it have crazy large data sets? If it runs scripts then it should be able to show me them. It should look at the data sizes that the blend will use and make guesses if it is too large. Naturally it should only open the blend as data and not as blender would. -- Douglas E Knapp Such a tool isn't so hard to write, see this python module which loads up blend files without using blender. http://blender-aid.googlecode.com/svn/trunk/src/blendfile.py ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, Here's just some ideas to investigate: 1) Better location for temp saves - remove /tmp/ usage from our default, and move it to sane a path inside user space. We can call this sandbox or so, which (on first use) could also be confirmed by users to be used as such. - sandbox paths could simply be the ones without / or // or C:\\ etc. 2) Communicate to users all saving C/C++ code well - Each save of a file should be printed in terminals. - Only allow non-user approved saves to files in sandbox (like temp files). - All other saves by tools should go by design via user confirmations (popup save-over). For tools with standard output paths (bakes, caches, anim render) only relative paths should be allowed (without confirmation). 3) Formalize definition of trusted source better. - Any .blend file with absolute output paths could be marked untrusted by default. - Macs (and Windows?) already have a way to detect a downloaded file, which can marked to be untrusted .blend. - Blender files can also get a User identifier struct, which can be used for various ways to mark files 'trusted' or not. In its simplest implementation it can just store an identifier string (copied from userpref) to mark files as saved by myself. 4) Replace Python's os module - For standard releases, the os module could follow same file save rules as our C code does. Untrusted files could default be allowed to use sandbox only. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 13:24, Ton Roosendaal wrote: Hi, I've checked some history of past discussions (including sandboxing Python) and to me it seems we still accept too much risk here. As a team (and for me as Blender Foundation chairman) I feel it's a big responsibility to not waive away so easily. More over - it's a disaster waiting to be happening one day. It would be unforgivable if we didn't at least help users to have a basic security in place. The discussion is also getting too much complicated by knowledgable people who point out that there's always another vulnerability or other methods to bypass any security feature. IMHO that's irrelevant, should never be a reason to ignore it altogether. We should be able to bring down this topic to a basic and sensible minimal protection we provide for users. Can we form some kindof workgroup to investigate it further and define a proposal for actions? Or a roadmap? And: is there a consensis to make the default startup install have 'autorun' disabled, with a notifier in the top header about it? -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 8:25, Campbell Barton wrote: On Wed, Jun 5, 2013 at 4:21 PM, Knapp magick.c...@gmail.com wrote: On Wed, Jun 5, 2013 at 8:03 AM, Knapp magick.c...@gmail.com wrote: As a normal hobby users, the biggest risk that I see is downloading a blend from the net and opening it. This is not something we are likely to give up. So, warning or not, what good is it? I need some way to know if the file is good or bad. I don't see an answer. I would say a good third of the users or more download blends for learning at least and often for producing their own stuff. What might be much more useful is a program that load a blend and tell me what it might do. For example, does it run scripts, does it have crazy large data sets? If it runs scripts then it should be able to show me them. It should look at the data sizes that the blend will use and make guesses if it is too large. Naturally it should only open the blend as data and not as blender would. -- Douglas E Knapp Such a tool isn't so hard to write, see this python module which loads up blend files without using blender. http://blender-aid.googlecode.com/svn/trunk/src/blendfile.py ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Wed, 2013-06-05 at 14:35 +0200, Ton Roosendaal wrote: Hi, Here's just some ideas to investigate: 1) Better location for temp saves 1) is actually really nice, /tmp has issues on some systems still and we often move the default to inside the home dir. esp. some systems don't keep /tmp between boots which has caused data loss sometimes. 2) Communicate to users all saving C/C++ code well saves initiated by a user (not by a script, tool, autosave or node save) should probably allowed anywhere the user has permission. also the user should have an easy way to make a file trusted. 3) Formalize definition of trusted source better. - Any .blend file with absolute output paths could be marked untrusted by default. - Macs (and Windows?) already have a way to detect a downloaded file, which can marked to be untrusted .blend. - Blender files can also get a User identifier struct, which can be used for various ways to mark files 'trusted' or not. In its simplest implementation it can just store an identifier string (copied from userpref) to mark files as saved by myself. Once you get into this the trusted thing can be forged; I'm guessing some cyptography / security people have to weigh in on how to stop that. 4) Replace Python's os module Please don't! We use python OS module so much for pipeline scripts, and I can't imagine other studios just don't do this. Replacing it with something crippled for security would be a huge annoyance - yes we can build our own, but for us at least we depend on external collaborators running on their own systems - sometimes our builds don't work for them. Things that we need to do are in the file manipulation range, such as moving or renaming large numbers of files, we access our share for the project in an absolute path in the root (this was standard practice before I got here) etc. etc. Messing with OS module would be pretty bad for us, and I don't know what would make it safe other than removing most of it's functionality anyway (the only thing safe is probably file path joining/splitting) -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 13:24, Ton Roosendaal wrote: Hi, I've checked some history of past discussions (including sandboxing Python) and to me it seems we still accept too much risk here. As a team (and for me as Blender Foundation chairman) I feel it's a big responsibility to not waive away so easily. More over - it's a disaster waiting to be happening one day. It would be unforgivable if we didn't at least help users to have a basic security in place. The discussion is also getting too much complicated by knowledgable people who point out that there's always another vulnerability or other methods to bypass any security feature. IMHO that's irrelevant, should never be a reason to ignore it altogether. We should be able to bring down this topic to a basic and sensible minimal protection we provide for users. Can we form some kindof workgroup to investigate it further and define a proposal for actions? Or a roadmap? And: is there a consensis to make the default startup install have 'autorun' disabled, with a notifier in the top header about it? -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 8:25, Campbell Barton wrote: On Wed, Jun 5, 2013 at 4:21 PM, Knapp magick.c...@gmail.com wrote: On Wed, Jun 5, 2013 at 8:03 AM, Knapp magick.c...@gmail.com wrote: As a normal hobby users, the biggest risk that I see is downloading a blend from the net and opening it. This is not something we are likely to give up. So, warning or not, what good is it? I need some way to know if the file is good or bad. I don't see an answer. I would say a good third of the users or more download blends for learning at least and often for producing their own stuff. What might be much more useful is a program that load a blend and tell me what it might do. For example, does it run scripts, does it have crazy large data sets? If it runs scripts then it should be able to show me them. It should look at the data sizes that the blend will use and make guesses if it is too large. Naturally it should only open the blend as data and not as blender would. -- Douglas E Knapp Such a tool isn't so hard to write, see this python module which loads up blend files without using blender. http://blender-aid.googlecode.com/svn/trunk/src/blendfile.py ___ Bf-committers mailing list
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, Things that we need to do are in the file manipulation range, such as moving or renaming large numbers of files Well, that you can do outside Blender via regular Python too? Further - if we can make file manipulations in the UI work sane/safe (and usable still), the hacked os module would just do same :) You will also define your own blends to be 'trusted' and allow scripts there to write anywhere you want (or not). -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 16:19, Bassam Kurdali wrote: On Wed, 2013-06-05 at 14:35 +0200, Ton Roosendaal wrote: Hi, Here's just some ideas to investigate: 1) Better location for temp saves 1) is actually really nice, /tmp has issues on some systems still and we often move the default to inside the home dir. esp. some systems don't keep /tmp between boots which has caused data loss sometimes. 2) Communicate to users all saving C/C++ code well saves initiated by a user (not by a script, tool, autosave or node save) should probably allowed anywhere the user has permission. also the user should have an easy way to make a file trusted. 3) Formalize definition of trusted source better. - Any .blend file with absolute output paths could be marked untrusted by default. - Macs (and Windows?) already have a way to detect a downloaded file, which can marked to be untrusted .blend. - Blender files can also get a User identifier struct, which can be used for various ways to mark files 'trusted' or not. In its simplest implementation it can just store an identifier string (copied from userpref) to mark files as saved by myself. Once you get into this the trusted thing can be forged; I'm guessing some cyptography / security people have to weigh in on how to stop that. 4) Replace Python's os module Please don't! We use python OS module so much for pipeline scripts, and I can't imagine other studios just don't do this. Replacing it with something crippled for security would be a huge annoyance - yes we can build our own, but for us at least we depend on external collaborators running on their own systems - sometimes our builds don't work for them. Things that we need to do are in the file manipulation range, such as moving or renaming large numbers of files, we access our share for the project in an absolute path in the root (this was standard practice before I got here) etc. etc. Messing with OS module would be pretty bad for us, and I don't know what would make it safe other than removing most of it's functionality anyway (the only thing safe is probably file path joining/splitting) -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 13:24, Ton Roosendaal wrote: Hi, I've checked some history of past discussions (including sandboxing Python) and to me it seems we still accept too much risk here. As a team (and for me as Blender Foundation chairman) I feel it's a big responsibility to not waive away so easily. More over - it's a disaster waiting to be happening one day. It would be unforgivable if we didn't at least help users to have a basic security in place. The discussion is also getting too much complicated by knowledgable people who point out that there's always another vulnerability or other methods to bypass any security feature. IMHO that's irrelevant, should never be a reason to ignore it altogether. We should be able to bring down this topic to a basic and sensible minimal protection we provide for users. Can we form some kindof workgroup to investigate it further and define a proposal for actions? Or a roadmap? And: is there a consensis to make the default startup install have 'autorun' disabled, with a notifier in the top header about it? -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 8:25, Campbell Barton wrote: On Wed, Jun 5, 2013 at 4:21 PM, Knapp magick.c...@gmail.com wrote: On Wed, Jun 5, 2013 at 8:03 AM, Knapp magick.c...@gmail.com wrote: As a normal hobby users, the biggest risk that I see is downloading a blend from the net and opening it. This is not something we are likely to give up. So, warning or not, what good is it? I need some way to know if the file is good or bad. I don't see an answer. I would say a good third of the users or more download blends for learning at least and often for
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
In reply to Ton Roosendaal (t...@blender.org): From: Ton Roosendaal t...@blender.org Date: Wed, 5 Jun 2013 14:35:16 +0200 To: bf-blender developers bf-committers@blender.org X-Mailer: Apple Mail (2.1283) Subject: Re: [Bf-committers] Please turn off Auto Run Python Scripts by default Reply-To: bf-blender developers bf-committers@blender.org Hi, 3) Formalize definition of trusted source better. - Any .blend file with absolute output paths could be marked untrusted by default. - Macs (and Windows?) already have a way to detect a downloaded file, which can marked to be untrusted .blend. - Blender files can also get a User identifier struct, which can be used for various ways to mark files 'trusted' or not. In its simplest implementation it can just store an identifier string (copied from userpref) to mark files as saved by myself. And we could create a file that stores oked identifiers. Similar to ssh's known_hosts If you open a file with an unknown identifier ask do you really want to open the file, and do you want to store that identifier as trusted. Kent ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Ton Roosendaal t...@blender.org wrote: Hi, Things that we need to do are in the file manipulation range, such as moving or renaming large numbers of files Well, that you can do outside Blender via regular Python too? Further - if we can make file manipulations in the UI work sane/safe (and usable still), the hacked os module would just do same :) You will also define your own blends to be 'trusted' and allow scripts there to write anywhere you want (or not). -Ton- This is likely to be problematic. I know I've relied on the os module for a number of my own internal scripts for pipeline as well as other tasks... and not just for file I/O. For example, the subprocess library is likely a huge security hole, but it's incredibly useful (almost required) for calling programs that don't have a Python API (or only a python2 API). Sure, a lot of these things could be done outside of Blender, but it's far more convenient to have it inside... especially for external artists who don't roll their own Blender. In addition to my own esoteric scripts, I'd be curious about how this might impact Import/Export scripts as well as external renderers. -Jason ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Disabling os module might cause a lot of problems. Pipeline and other batch scripts rely on it a lot. We also use a lot of absolute path in our pipeline scripts since we move a lot of files across directories for version control , publishing to the next stage , import directories of the stages , etc ., etc . using relative paths causes a lot of problems here . A cli option to disable all this security thingies would be great boon if at all the security measures are implemented. On Wed, Jun 5, 2013 at 8:46 PM, Jason van Gumster ja...@handturkeystudios.com wrote: Ton Roosendaal t...@blender.org wrote: Hi, Things that we need to do are in the file manipulation range, such as moving or renaming large numbers of files Well, that you can do outside Blender via regular Python too? Further - if we can make file manipulations in the UI work sane/safe (and usable still), the hacked os module would just do same :) You will also define your own blends to be 'trusted' and allow scripts there to write anywhere you want (or not). -Ton- This is likely to be problematic. I know I've relied on the os module for a number of my own internal scripts for pipeline as well as other tasks... and not just for file I/O. For example, the subprocess library is likely a huge security hole, but it's incredibly useful (almost required) for calling programs that don't have a Python API (or only a python2 API). Sure, a lot of these things could be done outside of Blender, but it's far more convenient to have it inside... especially for external artists who don't roll their own Blender. In addition to my own esoteric scripts, I'd be curious about how this might impact Import/Export scripts as well as external renderers. -Jason ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- regards - shrinidhi Even god fails to understand a human until his death! http://www.linkedin.com/in/shrinidhi666 https://github.com/shrinidhi666 http://www.imdb.com/name/nm3025616 ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, I am not proposing to make advanced system adminstration entirely impossible. It's just not a sane default to release, nor to give to everyone in a studio. The challenge is to find out a good, sane and usable way to configure Blender securely. It could work all fine for people in studios on daily work, and for occasional users who play with Blender and download files. And it could work for the TD to do massive data manipulations. Needless to say: if you run a movie making bizz, you also will set up accounts and permissions in a way you protect valuable data. A user accidentally deleting every shot is not fun ever. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 5 Jun, 2013, at 17:29, Shrinidhi Rao wrote: Disabling os module might cause a lot of problems. Pipeline and other batch scripts rely on it a lot. We also use a lot of absolute path in our pipeline scripts since we move a lot of files across directories for version control , publishing to the next stage , import directories of the stages , etc ., etc . using relative paths causes a lot of problems here . A cli option to disable all this security thingies would be great boon if at all the security measures are implemented. On Wed, Jun 5, 2013 at 8:46 PM, Jason van Gumster ja...@handturkeystudios.com wrote: Ton Roosendaal t...@blender.org wrote: Hi, Things that we need to do are in the file manipulation range, such as moving or renaming large numbers of files Well, that you can do outside Blender via regular Python too? Further - if we can make file manipulations in the UI work sane/safe (and usable still), the hacked os module would just do same :) You will also define your own blends to be 'trusted' and allow scripts there to write anywhere you want (or not). -Ton- This is likely to be problematic. I know I've relied on the os module for a number of my own internal scripts for pipeline as well as other tasks... and not just for file I/O. For example, the subprocess library is likely a huge security hole, but it's incredibly useful (almost required) for calling programs that don't have a Python API (or only a python2 API). Sure, a lot of these things could be done outside of Blender, but it's far more convenient to have it inside... especially for external artists who don't roll their own Blender. In addition to my own esoteric scripts, I'd be curious about how this might impact Import/Export scripts as well as external renderers. -Jason ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- regards - shrinidhi Even god fails to understand a human until his death! http://www.linkedin.com/in/shrinidhi666 https://github.com/shrinidhi666 http://www.imdb.com/name/nm3025616 ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hacked os module isn't really an option, Python uses this for its internal operations all over the place - a lot of python modules are written in Python so these would break. In python3.3 module dir... find -name *.py | xargs grep \bos\. | wc -l -- 7833 Attempting to let Python do its own thing but sandbox Blender scripts also cant work well, In the BGE we did have some basic security (disable some modules open()... iirc), But this is trivially easy to workaround - as in one line of python to get access to the real modules/functions. The only way I could see this working would be to do this on a libc level - replacing pythons own calls to open() / fopen() etc. But this also gives high risk of breaking Python its self. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Another +1 for not changing the OS module, or anything else for that matter. I use lots of python system-related modules, including OS, in my import/export/interop pipeline. If it is broken I will most likely not be using blender anymore (seriously). Additionally, I don't believe security in blend files is an issue anyway. If you have accepted a file from an untrusted source and opened it, YOU are the security risk, not the program you opened it with. AVIs, DOCs, and various other data files have had and still do have security risks associated with them (whether internal scripts are allowed to run or not). This problem is certainly not unique to blend files, and certainly not due solely to the fact that blender allows python scripts to run. This is a non-issue. The Trusted Source checkbox is a nice feature, I guess, but realistically I've never used it because I want all blends to open and work as intended by the creator. If I think it might be a malicious file, I don't accept it in the first place. That's where security starts, and ultimately ends. On Wed, Jun 5, 2013 at 10:55 AM, Campbell Barton ideasma...@gmail.comwrote: Hacked os module isn't really an option, Python uses this for its internal operations all over the place - a lot of python modules are written in Python so these would break. In python3.3 module dir... find -name *.py | xargs grep \bos\. | wc -l -- 7833 Attempting to let Python do its own thing but sandbox Blender scripts also cant work well, In the BGE we did have some basic security (disable some modules open()... iirc), But this is trivially easy to workaround - as in one line of python to get access to the real modules/functions. The only way I could see this working would be to do this on a libc level - replacing pythons own calls to open() / fopen() etc. But this also gives high risk of breaking Python its self. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- -- Jace Priester Threespace Imaging jacepries...@threespaceimaging.com 559-284-0904 -- ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Thu, Jun 6, 2013 at 5:21 AM, Jace Priester jacepries...@threespaceimaging.com wrote: Another +1 for not changing the OS module, or anything else for that matter. I use lots of python system-related modules, including OS, in my import/export/interop pipeline. If it is broken I will most likely not be using blender anymore (seriously). Additionally, I don't believe security in blend files is an issue anyway. If you have accepted a file from an untrusted source and opened it, YOU are the security risk, not the program you opened it with. AVIs, DOCs, and various other data files have had and still do have security risks associated with them (whether internal scripts are allowed to run or not). This problem is certainly not unique to blend files, and certainly not due solely to the fact that blender allows python scripts to run. This is a non-issue. The Trusted Source checkbox is a nice feature, I guess, but realistically I've never used it because I want all blends to open and work as intended by the creator. If I think it might be a malicious file, I don't accept it in the first place. That's where security starts, and ultimately ends. Developer working on the bug tracker you have to open many blend files created by random users, so the assurance those blend files wont run arbitrary python code is something I'm glad to have. Changing trusted defaults, communicating to user more clearly what they do, adding option in header to reload-trusted, area all fine. But I'd stop short of actually making decisions for users, eg, not letting a script write to some location they would normally be allowed to or limiting python functionality to the point useful operations are disabled. If we start turning off useful features it makes it a challenge for script authors to workaround and knowing how CPython is designed they will surely be able to do it without much effort. Then we just loose a lot of dev time trying to secure something that is inherently insecure. Trying to sandbox python is more of a research project - perhaps we can setup a state where pythons internals are temporarily disabled to the point files cant be modified, or pre-process python bytecode and disallow certain features, but I see this as a time sink - at that point we probably should be asking ourselves why we use Python at all, and not something like Lua or check on pypy which can be sand-boxed apparently. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
There was a decision to turn autorun on even if it causes potential security issues, what it comes down to is that we can't really secure python scripts, but they are critical for many artists worksflows. For a long discussion on the topic see here: http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa yu.asak...@gmail.com wrote: Hello, Currently “Auto Run Python Scripts” in the File tab in the user preferences (UserPreferencesSystem.use_scripts_auto_execute in Python) is turned on by default. Please turn it off by default. The current default setting means that when users open a blend file, Blender runs any Python scripts in the file as long as they are marked for auto-run. Python scripts can read/write local files and do other malicious things. Therefore, if users would like to open an untrusted blend file, they must explicitly disable auto-run by either turning off “Auto Run Python Scripts” in the user preferences or turning off the “Trusted Source” checkbox in the File Browser window. (See also my post on Google+ https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6.) I do not think many users know it is dangerous to open an untrusted blend file with the default settings in Blender. It is different from the common expectation for file-editing programs such as word processors: opening an untrusted file in file-editing programs is usually not considered to be a security risk. In other words, in file-editing programs, it is program’s responsibility to prevent attacks even if users open malicious files. Depending on the point of view, the current default behavior may be considered as a security vulnerability in Blender because of the mismatch between user’s expectation and the actual behavior. Regards, Yu ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Also, good to know that there is a Trusted source checkbox in the file browser while opening a file, which can be disabled for a particular file that you may not trust.. that will prevent autorun scripts. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
there is a command line option (-Y )if you want to turn it off . in linux u can alias blender with -Y option .in windows u can edit the properties of the shortcut to start blender with the -Y option . turning it off will cause hell to break out in a studio that's using blender . :) On Tue, Jun 4, 2013 at 6:05 PM, Prashant Sohani prashant.soh...@gmail.comwrote: Also, good to know that there is a Trusted source checkbox in the file browser while opening a file, which can be disabled for a particular file that you may not trust.. that will prevent autorun scripts. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- regards - shrinidhi Even god fails to understand a human until his death! http://www.linkedin.com/in/shrinidhi666 https://github.com/shrinidhi666 http://www.imdb.com/name/nm3025616 ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Thank you for the reply, and especially for the pointer to the previous discussion in April and May 2010. I was not aware of it. I think I took a look at all the messages in that thread in the archive. Now I understand it is unacceptable to some people to disable autoruns by default. So I will change my suggestion to the following: Please add an option to confirm before Blender runs Python scripts automatically, and turn on this new option by default. Probably this option should be ignored in the batch mode. I tried to find this suggestion in the past thread, but I could not find it. Excuse me if this was already suggested and rejected for some reason and I overlooked it, but in that case I am curious what the reason for rejection was. On Tue, Jun 4, 2013 at 8:15 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: There was a decision to turn autorun on even if it causes potential security issues, what it comes down to is that we can't really secure python scripts, but they are critical for many artists worksflows. For a long discussion on the topic see here: http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa yu.asak...@gmail.com wrote: Hello, Currently “Auto Run Python Scripts” in the File tab in the user preferences (UserPreferencesSystem.use_scripts_auto_execute in Python) is turned on by default. Please turn it off by default. The current default setting means that when users open a blend file, Blender runs any Python scripts in the file as long as they are marked for auto-run. Python scripts can read/write local files and do other malicious things. Therefore, if users would like to open an untrusted blend file, they must explicitly disable auto-run by either turning off “Auto Run Python Scripts” in the user preferences or turning off the “Trusted Source” checkbox in the File Browser window. (See also my post on Google+ https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6.) I do not think many users know it is dangerous to open an untrusted blend file with the default settings in Blender. It is different from the common expectation for file-editing programs such as word processors: opening an untrusted file in file-editing programs is usually not considered to be a security risk. In other words, in file-editing programs, it is program’s responsibility to prevent attacks even if users open malicious files. Depending on the point of view, the current default behavior may be considered as a security vulnerability in Blender because of the mismatch between user’s expectation and the actual behavior. Regards, Yu ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
In User Preferences - Files i found the option Auto Run Python Scripts I have disabled this option in my blender setup. However i also like your idea to have the additional option: - Ask user on load (when Autorun is disabled in user preferences) Furthermore it would be nice if i where able to load a blend file with autorun initially off, but later allow to enable autorun after i have inspected the included scripts, and found them trustworthy... On 04.06.2013 15:23, Yu Asakusa wrote: Thank you for the reply, and especially for the pointer to the previous discussion in April and May 2010. I was not aware of it. I think I took a look at all the messages in that thread in the archive. Now I understand it is unacceptable to some people to disable autoruns by default. So I will change my suggestion to the following: Please add an option to confirm before Blender runs Python scripts automatically, and turn on this new option by default. Probably this option should be ignored in the batch mode. I tried to find this suggestion in the past thread, but I could not find it. Excuse me if this was already suggested and rejected for some reason and I overlooked it, but in that case I am curious what the reason for rejection was. On Tue, Jun 4, 2013 at 8:15 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: There was a decision to turn autorun on even if it causes potential security issues, what it comes down to is that we can't really secure python scripts, but they are critical for many artists worksflows. For a long discussion on the topic see here: http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa yu.asak...@gmail.com wrote: Hello, Currently “Auto Run Python Scripts” in the File tab in the user preferences (UserPreferencesSystem.use_scripts_auto_execute in Python) is turned on by default. Please turn it off by default. The current default setting means that when users open a blend file, Blender runs any Python scripts in the file as long as they are marked for auto-run. Python scripts can read/write local files and do other malicious things. Therefore, if users would like to open an untrusted blend file, they must explicitly disable auto-run by either turning off “Auto Run Python Scripts” in the user preferences or turning off the “Trusted Source” checkbox in the File Browser window. (See also my post on Google+ https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6.) I do not think many users know it is dangerous to open an untrusted blend file with the default settings in Blender. It is different from the common expectation for file-editing programs such as word processors: opening an untrusted file in file-editing programs is usually not considered to be a security risk. In other words, in file-editing programs, it is program’s responsibility to prevent attacks even if users open malicious files. Depending on the point of view, the current default behavior may be considered as a security vulnerability in Blender because of the mismatch between user’s expectation and the actual behavior. Regards, Yu ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Dear Thomas, As I wrote in the first email, I know there are options to change the behavior, and I am questioning the *default* behavior. I agree a confirmation popup is not nice, but I am suggesting the confirmation as a compromise to make Blender secure by default without causing data loss to users whose workflow relies on autorun. Yu On Tue, Jun 4, 2013 at 9:34 AM, Thomas Dinges blen...@dingto.org wrote: Hi, as someone previously said, you can start Blender with a parameter (-Y), to not start scripts automatically, so there is already an option. You can set that to your blender.exe or so, then you don't have to manually set it on each startup. Having a Confirmation popup Do you really want to run the script? is not a good idea, neither as a preference or not. Thomas Am 04.06.2013 15:23, schrieb Yu Asakusa: Thank you for the reply, and especially for the pointer to the previous discussion in April and May 2010. I was not aware of it. I think I took a look at all the messages in that thread in the archive. Now I understand it is unacceptable to some people to disable autoruns by default. So I will change my suggestion to the following: Please add an option to confirm before Blender runs Python scripts automatically, and turn on this new option by default. Probably this option should be ignored in the batch mode. I tried to find this suggestion in the past thread, but I could not find it. Excuse me if this was already suggested and rejected for some reason and I overlooked it, but in that case I am curious what the reason for rejection was. On Tue, Jun 4, 2013 at 8:15 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: There was a decision to turn autorun on even if it causes potential security issues, what it comes down to is that we can't really secure python scripts, but they are critical for many artists worksflows. For a long discussion on the topic see here: http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa yu.asak...@gmail.com wrote: Hello, Currently “Auto Run Python Scripts” in the File tab in the user preferences (UserPreferencesSystem.use_scripts_auto_execute in Python) is turned on by default. Please turn it off by default. The current default setting means that when users open a blend file, Blender runs any Python scripts in the file as long as they are marked for auto-run. Python scripts can read/write local files and do other malicious things. Therefore, if users would like to open an untrusted blend file, they must explicitly disable auto-run by either turning off “Auto Run Python Scripts” in the user preferences or turning off the “Trusted Source” checkbox in the File Browser window. (See also my post on Google+ https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6.) I do not think many users know it is dangerous to open an untrusted blend file with the default settings in Blender. It is different from the common expectation for file-editing programs such as word processors: opening an untrusted file in file-editing programs is usually not considered to be a security risk. In other words, in file-editing programs, it is program’s responsibility to prevent attacks even if users open malicious files. Depending on the point of view, the current default behavior may be considered as a security vulnerability in Blender because of the mismatch between user’s expectation and the actual behavior. Regards, Yu ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- Thomas Dinges Blender Developer, Artist and Musician www.dingto.org ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
There's a compile time flag that does this if you're into that sort of thing -- WITH_PYTHON_SECURITY I believe it is -- that the linux distros use it for their packaged blender builds Well, except fedora who uses WITH_PYTHON_SAFETY which still auto-runs scripts and gives you much slower python scripts. Filed a bug report a while back but they don't seem to care. Dan ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Here's another discussion where the popup idea comes up: http://lists.blender.org/pipermail/bf-committers/2010-March/026573.html It's a tradeoff, do we really want to degrade usability for this? The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. On Tue, Jun 4, 2013 at 3:50 PM, Yu Asakusa yu.asak...@gmail.com wrote: Dear Thomas, As I wrote in the first email, I know there are options to change the behavior, and I am questioning the *default* behavior. I agree a confirmation popup is not nice, but I am suggesting the confirmation as a compromise to make Blender secure by default without causing data loss to users whose workflow relies on autorun. Yu On Tue, Jun 4, 2013 at 9:34 AM, Thomas Dinges blen...@dingto.org wrote: Hi, as someone previously said, you can start Blender with a parameter (-Y), to not start scripts automatically, so there is already an option. You can set that to your blender.exe or so, then you don't have to manually set it on each startup. Having a Confirmation popup Do you really want to run the script? is not a good idea, neither as a preference or not. Thomas Am 04.06.2013 15:23, schrieb Yu Asakusa: Thank you for the reply, and especially for the pointer to the previous discussion in April and May 2010. I was not aware of it. I think I took a look at all the messages in that thread in the archive. Now I understand it is unacceptable to some people to disable autoruns by default. So I will change my suggestion to the following: Please add an option to confirm before Blender runs Python scripts automatically, and turn on this new option by default. Probably this option should be ignored in the batch mode. I tried to find this suggestion in the past thread, but I could not find it. Excuse me if this was already suggested and rejected for some reason and I overlooked it, but in that case I am curious what the reason for rejection was. On Tue, Jun 4, 2013 at 8:15 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: There was a decision to turn autorun on even if it causes potential security issues, what it comes down to is that we can't really secure python scripts, but they are critical for many artists worksflows. For a long discussion on the topic see here: http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa yu.asak...@gmail.com wrote: Hello, Currently “Auto Run Python Scripts” in the File tab in the user preferences (UserPreferencesSystem.use_scripts_auto_execute in Python) is turned on by default. Please turn it off by default. The current default setting means that when users open a blend file, Blender runs any Python scripts in the file as long as they are marked for auto-run. Python scripts can read/write local files and do other malicious things. Therefore, if users would like to open an untrusted blend file, they must explicitly disable auto-run by either turning off “Auto Run Python Scripts” in the user preferences or turning off the “Trusted Source” checkbox in the File Browser window. (See also my post on Google+ https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6.) I do not think many users know it is dangerous to open an untrusted blend file with the default settings in Blender. It is different from the common expectation for file-editing programs such as word processors: opening an untrusted file in file-editing programs is usually not considered to be a security risk. In other words, in file-editing programs, it is program’s responsibility to prevent attacks even if users open malicious files. Depending on the point of view, the current default behavior may be considered as a security vulnerability in Blender because of the mismatch between user’s expectation and the actual behavior. Regards, Yu ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- Thomas Dinges Blender Developer, Artist and Musician www.dingto.org ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Here's another discussion where the popup idea comes up: http://lists.blender.org/pipermail/bf-committers/2010-March/026573.html It's a tradeoff, do we really want to degrade usability for this? I don't think this is a question of degrading expert blender usability. It's a question of protecting a broader less expert userbase from malicious blend files. I think your previous post is an excellent case for not SILENTLY disabling scripts by default. [1] However, this is not the only option. For nearly a decade MS-Word has been using a challenge dialog before running scripts. Is there ideological opposition to default to showing a dialog before processing python scripts in a blend file? The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? [1] http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, I think I would have to agree with David's stance here. A studio would most certainly track changes to blenders behavior, at least more likely so compared to a new user, and also know of this feature very well. I honestly can't see a safe default of disabled py scripts affecting a professional studio, and the benefits to the community at large by having safe defaults I think outweighs the minor inconvenience that the pros would have to go through to re-enable it. Anyway, my $0.02 Dan On Tue, Jun 4, 2013 at 1:58 PM, David Jeske dav...@gmail.com wrote: On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Here's another discussion where the popup idea comes up: http://lists.blender.org/pipermail/bf-committers/2010-March/026573.html It's a tradeoff, do we really want to degrade usability for this? I don't think this is a question of degrading expert blender usability. It's a question of protecting a broader less expert userbase from malicious blend files. I think your previous post is an excellent case for not SILENTLY disabling scripts by default. [1] However, this is not the only option. For nearly a decade MS-Word has been using a challenge dialog before running scripts. Is there ideological opposition to default to showing a dialog before processing python scripts in a blend file? The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? [1] http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Oh my, this is a delicate topic here. The security expert within me is furiously trying to break out of his cage, while the Blender user within me tries to keep the door closed ;) I must admit David is right in this. We should protect our users from malicious blend files. I would suggest a dialogue box that warns of these scripts. This box could have a checkbox like M$ Word (Never show this message again). So the users can decide whether they want to be protected or not. /Jürgen -Ursprüngliche Nachricht- Von: bf-committers-boun...@blender.org [mailto:bf-committers-boun...@blender.org] Im Auftrag von David Jeske Gesendet: Dienstag, 4. Juni 2013 19:59 An: bf-blender developers Betreff: Re: [Bf-committers] Please turn off Auto Run Python Scripts by default On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Here's another discussion where the popup idea comes up: http://lists.blender.org/pipermail/bf-committers/2010-March/026573.htm l It's a tradeoff, do we really want to degrade usability for this? I don't think this is a question of degrading expert blender usability. It's a question of protecting a broader less expert userbase from malicious blend files. I think your previous post is an excellent case for not SILENTLY disabling scripts by default. [1] However, this is not the only option. For nearly a decade MS-Word has been using a challenge dialog before running scripts. Is there ideological opposition to default to showing a dialog before processing python scripts in a blend file? The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? [1] http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
That is what I meant, it's a delicate topic. It is not very likely that this happens, but it is not impossible. We could wait until this happens the first time and react later or we could act preventative. But in the end it is absolutely indifferent what we do. Some users will always complain about it. /Jürgen -Ursprüngliche Nachricht- Von: bf-committers-boun...@blender.org [mailto:bf-committers-boun...@blender.org] Im Auftrag von Thomas Dinges Gesendet: Dienstag, 4. Juni 2013 20:16 An: bf-blender developers Betreff: Re: [Bf-committers] Please turn off Auto Run Python Scripts by default I may see this too simple, but you also don't run any .exe file you get your hands on, on your computer. In the end it all comes down to Do I trust the source, yes or no. ;) Come on, how often did you got a virus or so via a .exe or so, and how often via a .blend file? Am 04.06.2013 19:58, schrieb David Jeske: On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Here's another discussion where the popup idea comes up: http://lists.blender.org/pipermail/bf-committers/2010-March/026573.ht ml It's a tradeoff, do we really want to degrade usability for this? I don't think this is a question of degrading expert blender usability. It's a question of protecting a broader less expert userbase from malicious blend files. I think your previous post is an excellent case for not SILENTLY disabling scripts by default. [1] However, this is not the only option. For nearly a decade MS-Word has been using a challenge dialog before running scripts. Is there ideological opposition to default to showing a dialog before processing python scripts in a blend file? The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? [1] http://lists.blender.org/pipermail/bf-committers/2010-April/027216.htm l ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- Thomas Dinges Blender Developer, Artist and Musician www.dingto.org ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
That it is possible to create something bad withing a Blend file is not enough, on its own, for this to be a threat worth considering. Trying to propagate a virus or other nasty behavior via Blend files would be a silly waste of time for the perpetrator. This is because it is not a method that can attain momentum and continue. If I download a bad Blend file that erases my files or infects me with something that outcome will not, in turn, lead to others being similarly affected. I will know where I got the file from and it will be quite easy to ensure nobody else is similarly inconvenienced. The process has stopped. This is quite unlike a macro inside a Word Document or a virus-infected executable. Harley ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Wed, Jun 5, 2013 at 3:58 AM, David Jeske dav...@gmail.com wrote: On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Here's another discussion where the popup idea comes up: http://lists.blender.org/pipermail/bf-committers/2010-March/026573.html It's a tradeoff, do we really want to degrade usability for this? I don't think this is a question of degrading expert blender usability. It's a question of protecting a broader less expert userbase from malicious blend files. I think your previous post is an excellent case for not SILENTLY disabling scripts by default. [1] However, this is not the only option. For nearly a decade MS-Word has been using a challenge dialog before running scripts. Is there ideological opposition to default to showing a dialog before processing python scripts in a blend file? Blender doesn't have these kinds of dialogs available (ones that block everything and wait for input), also checking if a script will run isn't totally trivial - any driver can run a script for example. So yes - both are solvable, but its not easily supported without some extra work - probably this is why someone hasn't written a patch already. The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? I would assume these other ways would have to make use of hand crafted blend files that cause buffer overruns to run malicious executable code. [1] http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- - Campbell ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Why not just add in User preferences: [ ] Auto run scripts (we have this already) [X] Ask for autorun on load if general Autorun is disabled This would solve all purposes: - new users are made aware of huh, there are autorun scripts in this blend! - experienced users can customize either: - i trust everybody: always autorun. - i trust nobody: never autorun. - i care: ask me case by case btw, what is missing here (maybe) is a way to enable autorun on an already open blend file which was first loaded with aurorun off. That would allow to inspect the scripts before running them at least. Well, there can always be areas in blender which would unexpectedly break with such a change. but ... really ? On 04.06.2013 20:20, Jürgen Herrmann wrote: That is what I meant, it's a delicate topic. It is not very likely that this happens, but it is not impossible. We could wait until this happens the first time and react later or we could act preventative. But in the end it is absolutely indifferent what we do. Some users will always complain about it. /Jürgen -Ursprüngliche Nachricht- Von: bf-committers-boun...@blender.org [mailto:bf-committers-boun...@blender.org] Im Auftrag von Thomas Dinges Gesendet: Dienstag, 4. Juni 2013 20:16 An: bf-blender developers Betreff: Re: [Bf-committers] Please turn off Auto Run Python Scripts by default I may see this too simple, but you also don't run any .exe file you get your hands on, on your computer. In the end it all comes down to Do I trust the source, yes or no. ;) Come on, how often did you got a virus or so via a .exe or so, and how often via a .blend file? Am 04.06.2013 19:58, schrieb David Jeske: On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Here's another discussion where the popup idea comes up: http://lists.blender.org/pipermail/bf-committers/2010-March/026573.ht ml It's a tradeoff, do we really want to degrade usability for this? I don't think this is a question of degrading expert blender usability. It's a question of protecting a broader less expert userbase from malicious blend files. I think your previous post is an excellent case for not SILENTLY disabling scripts by default. [1] However, this is not the only option. For nearly a decade MS-Word has been using a challenge dialog before running scripts. Is there ideological opposition to default to showing a dialog before processing python scripts in a blend file? The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? [1] http://lists.blender.org/pipermail/bf-committers/2010-April/027216.htm l ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- Thomas Dinges Blender Developer, Artist and Musician www.dingto.org ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Hi, please be aware that this topic is NOT solvable by us. Even when we make the scripts not start on startup, it will be run on some other trigger. Scripts are essential for running blender, think about BGE, Animations, Rigs, UI, Operators, and many others. Turning them all off, might make users not wanting to work with Blender. Closing it on startup does not fix a thing. If someone wants to harm, he/she can. That has been a proven fact in security. Security is a big topic and we should be very aware that we are just a small component in a much complexer environment and we have not the influence to fix the whole environment. And not fixing it in the whole environment will not solve anything at all. Regards, - At Mind - On 06/04/2013 08:58 PM, Gaia wrote: Why not just add in User preferences: [ ] Auto run scripts (we have this already) [X] Ask for autorun on load if general Autorun is disabled This would solve all purposes: - new users are made aware of huh, there are autorun scripts in this blend! - experienced users can customize either: - i trust everybody: always autorun. - i trust nobody: never autorun. - i care: ask me case by case btw, what is missing here (maybe) is a way to enable autorun on an already open blend file which was first loaded with aurorun off. That would allow to inspect the scripts before running them at least. Well, there can always be areas in blender which would unexpectedly break with such a change. but ... really ? On 04.06.2013 20:20, Jürgen Herrmann wrote: That is what I meant, it's a delicate topic. It is not very likely that this happens, but it is not impossible. We could wait until this happens the first time and react later or we could act preventative. But in the end it is absolutely indifferent what we do. Some users will always complain about it. /Jürgen -Ursprüngliche Nachricht- Von: bf-committers-boun...@blender.org [mailto:bf-committers-boun...@blender.org] Im Auftrag von Thomas Dinges Gesendet: Dienstag, 4. Juni 2013 20:16 An: bf-blender developers Betreff: Re: [Bf-committers] Please turn off Auto Run Python Scripts by default I may see this too simple, but you also don't run any .exe file you get your hands on, on your computer. In the end it all comes down to Do I trust the source, yes or no. ;) Come on, how often did you got a virus or so via a .exe or so, and how often via a .blend file? Am 04.06.2013 19:58, schrieb David Jeske: On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Here's another discussion where the popup idea comes up: http://lists.blender.org/pipermail/bf-committers/2010-March/026573.ht ml It's a tradeoff, do we really want to degrade usability for this? I don't think this is a question of degrading expert blender usability. It's a question of protecting a broader less expert userbase from malicious blend files. I think your previous post is an excellent case for not SILENTLY disabling scripts by default. [1] However, this is not the only option. For nearly a decade MS-Word has been using a challenge dialog before running scripts. Is there ideological opposition to default to showing a dialog before processing python scripts in a blend file? The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? [1] http://lists.blender.org/pipermail/bf-committers/2010-April/027216.htm l ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- Thomas Dinges Blender Developer, Artist and Musician www.dingto.org ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Tue, Jun 4, 2013 at 7:58 PM, David Jeske dav...@gmail.com wrote: The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? Some examples: * Animation rendering, compositor file output node, point caches, etc all write to disk. When set to certain paths they can overwrite important files. * Blend files can contain user preferences and those will be loaded automatically. * Keyboard shortcuts can be bound to arbitrary operators which can be used to do pretty much anything. * We don't generally keep up with the latest security fixes for jpg, png, .. libraries. * Auto Start for games. * Specially crafted screen setup so user executes code in the python console editor without noticing. * Buffer overflows are easy to achieve with the current .blend file reading code. Scripts of course make it easier, but even without that it's still fairly easy to do damage. Brecht. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Wed, Jun 5, 2013 at 5:38 AM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: On Tue, Jun 4, 2013 at 7:58 PM, David Jeske dav...@gmail.com wrote: The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? Some examples: * Animation rendering, compositor file output node, point caches, etc all write to disk. When set to certain paths they can overwrite important files. * Blend files can contain user preferences and those will be loaded automatically. * Keyboard shortcuts can be bound to arbitrary operators which can be used to do pretty much anything. * We don't generally keep up with the latest security fixes for jpg, png, .. libraries. * Auto Start for games. * Specially crafted screen setup so user executes code in the python console editor without noticing. * Buffer overflows are easy to achieve with the current .blend file reading code. Scripts of course make it easier, but even without that it's still fairly easy to do damage. Brecht. Checked over these items, and from what I can tell, disabling `Trusted Source` on load still works well to ensure arbitrary scripts contained within the blend file don't run - BGE autostart also respects this option. Even tricking user into using the python console would require some user interaction. Loading user preferences is a bit of a worry, but even in this case I couldn't get a script to auto-execute on startup since it doesn't save drivers/text to that file. However if the user assumes running scripts is disabled in the preferences, a blend file manages to enable this, then they load a second blend --- it could be used to trick the user into running scripts still. And of course with buffer overflows all bets are off, but this is also a lot more involved then simply adding a python script to a blend file and telling it to run which is the case we wanted `Trusted Source` option to deal with. -- - Campbell ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Thank you for the list of potential risks. I cannot judge how difficult it is to solve all of them and make it safe for a user to open an untrusted blend file, but it seems it is much harder than I expected. If it is too hard, do you think it is easier to better communicate to users that opening an untrusted blend file in Blender is a dangerous operation? As the community of Blender grows, it seems that more and more people are downloading blend files made by someone they do not know, and this trend is likely to continue. Many users reasonably expect that “just” opening a blend file is a safe operation, unlike opening an executable file. The security problem here is the mismatch between user’s expectation and the actual behavior rather than the behavior itself. I hoped the actual behavior could be changed to match user’s expectation, but now I am less hopeful (although from Campbell Barton’s reply it seems all hope is not lost). Then changing user’s expectation to match the reality might be an easier way to resolve this mismatch. If users know they should handle downloaded blend files just like downloaded executable files, this will no longer be a vulnerability. On Tue, Jun 4, 2013 at 3:38 PM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: On Tue, Jun 4, 2013 at 7:58 PM, David Jeske dav...@gmail.com wrote: The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? Some examples: * Animation rendering, compositor file output node, point caches, etc all write to disk. When set to certain paths they can overwrite important files. * Blend files can contain user preferences and those will be loaded automatically. * Keyboard shortcuts can be bound to arbitrary operators which can be used to do pretty much anything. * We don't generally keep up with the latest security fixes for jpg, png, .. libraries. * Auto Start for games. * Specially crafted screen setup so user executes code in the python console editor without noticing. * Buffer overflows are easy to achieve with the current .blend file reading code. Scripts of course make it easier, but even without that it's still fairly easy to do damage. Brecht. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
isnt using a computer itself a risk ?! . why not just disable the net and other out worldly connections to the comp . ? y do we want to use a hard disk? ..isnt it possible that some app will always overwrite our data? we might even format it by mistake . i would prefer usability rather than some closed and difficult to implement software thats marketed as psychologically secure like windows OS! . people who are concerned about security using any software shouldn't use computers itself ! .. its simple . I wouldnt want people in a studio to always click a few extra buttons and forget sometimes and cause havoc on scenes while rendering , and spend a day trying to find out the problem! * pop ups are not an option during command line batching operations . Since there is an CLI option to enable and disable a script . it makes sense to disable it by default and people using it in studios can target blender to start with the autorun enabled option . provided the change is propagated to all blender users in some way so they remember the change :) . why complicate it with GUI popups? :( . and the only software that is safe is the one that does nothing . security is a user side issue . users should be informed and educated. any user who is dumb enough to turn a blind eye towards it and gets into trouble deserves it . because a software cannot provide security to all users . if it does that .. it does nothing! . On Wed, Jun 5, 2013 at 4:28 AM, Yu Asakusa yu.asak...@gmail.com wrote: Thank you for the list of potential risks. I cannot judge how difficult it is to solve all of them and make it safe for a user to open an untrusted blend file, but it seems it is much harder than I expected. If it is too hard, do you think it is easier to better communicate to users that opening an untrusted blend file in Blender is a dangerous operation? As the community of Blender grows, it seems that more and more people are downloading blend files made by someone they do not know, and this trend is likely to continue. Many users reasonably expect that “just” opening a blend file is a safe operation, unlike opening an executable file. The security problem here is the mismatch between user’s expectation and the actual behavior rather than the behavior itself. I hoped the actual behavior could be changed to match user’s expectation, but now I am less hopeful (although from Campbell Barton’s reply it seems all hope is not lost). Then changing user’s expectation to match the reality might be an easier way to resolve this mismatch. If users know they should handle downloaded blend files just like downloaded executable files, this will no longer be a vulnerability. On Tue, Jun 4, 2013 at 3:38 PM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: On Tue, Jun 4, 2013 at 7:58 PM, David Jeske dav...@gmail.com wrote: The decision at the time was that no, we do not. Also note that even disabling scripts does not make Blender secure, there's dozens of other ways to create malicious .blend files. What are the other dozen ways blender could read/destroy/send-files-to-the-internet/install-viruses with python scripts disabled? Some examples: * Animation rendering, compositor file output node, point caches, etc all write to disk. When set to certain paths they can overwrite important files. * Blend files can contain user preferences and those will be loaded automatically. * Keyboard shortcuts can be bound to arbitrary operators which can be used to do pretty much anything. * We don't generally keep up with the latest security fixes for jpg, png, .. libraries. * Auto Start for games. * Specially crafted screen setup so user executes code in the python console editor without noticing. * Buffer overflows are easy to achieve with the current .blend file reading code. Scripts of course make it easier, but even without that it's still fairly easy to do damage. Brecht. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- regards - shrinidhi Even god fails to understand a human until his death! http://www.linkedin.com/in/shrinidhi666 https://github.com/shrinidhi666 http://www.imdb.com/name/nm3025616 ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
Not sure this discussion is really going anywhere now - there are valid arguments for/against this being on by default, but this was decided back in 2010 and I don't see that decision changing. To avoid further threads on this topic added a section to our developer FAQ. http://wiki.blender.org/index.php/Dev:Doc/FAQ#How_Does_Blender_Deal_with_Security.3F ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
This issue would be less problematic if new versions of blender would read preferences set from older versions. Currently in my experience all preferences have to be re-set after each new version download. Which means if you turn off auto load scripts it only stays off until the next download. On Tue, Jun 4, 2013 at 2:15 PM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Regarding implementation of a popup: if it is desired, you could load the file with scripts disabled, and then in the info header have a warning and button to reload the file with scripts enabled. That's nicely non-modal too. This seems like quite an elegant blender-esq option. It does appear this is a vulnerability in other popular 3d modeling tools... I believe the attack surface area of blender may be worse than Maya or 3ds, as blender is a free download. However, it's probably comparable to DAZ studio, which is also free and also has this vulnerability. http://www.coresecurity.com/content/blender-scripting-injection http://www.coresecurity.com/content/maya-arbitrary-command-execution http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution http://www.coresecurity.com/content/dazstudio-scripting-injection It might be worth adding this comparison information to the FAQ. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Please turn off Auto Run Python Scripts by default
On Wed, Jun 5, 2013 at 3:15 PM, David Jeske dav...@gmail.com wrote: This issue would be less problematic if new versions of blender would read preferences set from older versions. Currently in my experience all preferences have to be re-set after each new version download. Which means if you turn off auto load scripts it only stays off until the next download. When you load a new version of blender the splash screen should show the option Copy Previous Settings, Though its limited to updating from the previous release. Though its not foolproof since you could install blender then immediately load an untrusted blend file before you have a chance to restore preferences. On Tue, Jun 4, 2013 at 2:15 PM, Brecht Van Lommel brechtvanlom...@pandora.be wrote: Regarding implementation of a popup: if it is desired, you could load the file with scripts disabled, and then in the info header have a warning and button to reload the file with scripts enabled. That's nicely non-modal too. This seems like quite an elegant blender-esq option. It does appear this is a vulnerability in other popular 3d modeling tools... I believe the attack surface area of blender may be worse than Maya or 3ds, as blender is a free download. However, it's probably comparable to DAZ studio, which is also free and also has this vulnerability. http://www.coresecurity.com/content/blender-scripting-injection http://www.coresecurity.com/content/maya-arbitrary-command-execution http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution http://www.coresecurity.com/content/dazstudio-scripting-injection It might be worth adding this comparison information to the FAQ. ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers -- - Campbell ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers