Page 2 of 2 FirstFirst 12
Results 21 to 28 of 28
  1. #21
    Member JustinBarrett's Avatar
    Join Date
    Jul 2009
    Location
    Trier(near), Germany
    Posts
    2,394
    fear tactics and nonsense...I mean no one here is really that concerned about the current state of blender security...at least I don't worry about it...

    This is one of those things that would generally not be exploited...but now that some attention has been drawn who knows...it's a chicken or the egg scenario.
    "The crows seem to be calling my name." Thought Kaw.
    Myrlea, "The Shepherd's Quest" formerly "Valiant" [project]



  2. #22
    Much like spearfishing has become more prominent after the Sony hack, virtual currency after Bitcoin, or (going way back here) TV medical dramas after the first season of 'ER'. Success breeds more attempts at similar success.

    It's not the end of the world, but it's not people calling chicken-little either. There is some valid concern (more so with growing commercial adoption), and there should be a good medium found between protection levels and the effort to get there.



  3. #23
    Member JustinBarrett's Avatar
    Join Date
    Jul 2009
    Location
    Trier(near), Germany
    Posts
    2,394
    I do not see any big company, while using blender have it connected to an exterior network...I assume most people like to keep their work relatively hidden and private and generally only distribute for external mediums..like film etc.
    "The crows seem to be calling my name." Thought Kaw.
    Myrlea, "The Shepherd's Quest" formerly "Valiant" [project]



  4. #24
    Member
    Join Date
    Aug 2010
    Location
    Adelaide, South Australia
    Posts
    2,764
    https://lists.blender.org/pipermail/...ry/049024.html

    Hi everyone,


    You've probably followed the discussion based on Cisco's security reports.
    Here's the thread on our developer site:
    https://developer.blender.org/T52924


    Last week Cisco posted the full list on their blog, with a quite negative statement that "we declined to address the issues". I've asked Cisco to update that blog post or at least post my reply, nothing happened so-far.


    http://blog.talosintelligence.com/20...der-vulns.html


    With the issue being picked up by news websites the pressure to handle the reports became quite more urgent. Also because we were planning a bug-fix 2.79a release this month.


    I'm happy to report that Brecht Van Lommel took the efforts to handle all of the reported issues in Blender in the past 4 days. You can see the commits related to this on this url:


    https://lists.blender.org/pipermail/...uary/date.html
    (Search for malloc_array)


    Also thanks to Sergey and Campbell for reviewing it.
    A testbuild for 2.79a is being made now (this week?). Official release then happens shortly after.


    Please note it doesn't mean Blender is anything like "safe" now. It remains important to only open Blender files from trusted sources. We still think that real and sensible security (if you want .blend files safe to be spread anonymously) is a project with a magnitude that's outside of the scope of what we can handle. For that we welcome contributions from the industry!


    Thanks,


    -Ton-



  5. #25
    Assuming Cisco and Intel currently have larger security issues as compared to Blender.



  6. #26
    Member pauljs75_'s Avatar
    Join Date
    Jan 2006
    Location
    Chicago 'burbs
    Posts
    930
    For the average user it's still a toss-up between not having a rig working at all, or risk having some malevolent Python code cause problems. (Not enough people know all the details about programming in it.) So far, for most sites that distribute Blender content this hasn't been too big a problem. (Small enough that most people find the step to allow scripts more annoying than the reason that warning reminder exists in the first place.)

    I think the Blender Foundation has already taken most of the steps they could on their end, so the rest really is up to various sites that allow artists to share files. I believe most have ways of flagging problem content.



  7. #27
    Member
    Join Date
    Aug 2008
    Location
    Central Coast, Australia
    Posts
    2,628
    Originally Posted by m9105826 View Post
    Any program with scripting access is going to have these vulnerabilities. Treat a .blend with the same respect you'd treat a .py, .lua, or .exe and you'll be fine.
    This is not strictly true, sorry. Lua is one of the scripting languages that can be sandboxed (i.e. prevent access to unsafe functionality) and applications loading files with embedded scripts can, and do, have the ability to turn off the automatic running of scripts contained within. Why do you think you get asked about it when you load a Microsoft Word document or Excel spreadsheet with macros?

    The issue with Python is that it was not designed to be an "embedded" language. As such, the fact that it couldn't be properly sandboxed is not considered a design flaw. Lua (and other scripting languages, I'm not proselytising) have only as much access to the system as you give them. Don't want Lua scripts accessing files - don't give the Lua VM access to that functionality from your program.
    __________________________________________________ _______
    Ignore List available here: http://blenderartists.org/forum/memb...7#vmessage6257



  8. #28
    Member SterlingRoth's Avatar
    Join Date
    Mar 2006
    Location
    Portland, OR
    Posts
    2,115
    Hey, nice seeing you Btolputt, It's been a while.

    I didn't know Lua could be sandboxed in that way. I wish there were more fidelity to the level of script access in blender, rather than an all or nothing toggle.

    In my default scene I have a camera overlay object parented to my camera, with a simple driver to scale the overlay to fit the zoom level of the camera. I get it, python can have complete access to the system, but (camera.lens * -.515) isn't exactly malicious code.



Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •