Are uploaded blends here AV scanned

Does anyone know if uploaded blends to BA, or even ones where the file is hosted elsewhere (dropbox, et all) are Antivius/malware scanned? Or generally checked out to be valid blends? I am usually extremely paranoid and won’t open any email attachment I’m not expecting at a certain time from a certain sender. But somehow my guard is down here and I regularly just open up stranger’s blends. I’ve never had an issue with any of them, of course those are famous last words. Anyone here know, or the site devs perhaps?

I’m told you can start Blender without Python via command line switch, or you could open them in a virtual machine. I doubt Python is the only way to compromise a computer via .blend but it seems the most obvious. Typical PC antivirus would not catch malicious actions in Python code, Python scripts by nature take variable code defined action. I worry more about Graphicall builds than .blends.

In the Open file screen’s Open Blender File panel (lower left) there’s a Trusted Source checkbox to enable python scripts in the file to autorun. Set the default behavior in User Prefs > File.

-LP

  1. Basically I’m hearing that no, there’s no way to tell if that blend has a malicious script in it, but you can configure blender to not run code you don’t trust.

  2. Are python scripts, in general, executed within a blend, run in some kind of a sandbox? I’ve written maybe 5 scripts, and I haven’t tried to write or read from the local filesystem. Is it possible?

  3. 1 to 10, how paranoid should I be?

Correct

  1. Are python scripts, in general, executed within a blend, run in some kind of a sandbox? I’ve written maybe 5 scripts, and I haven’t tried to write or read from the local filesystem. Is it possible?

Short answer: yes, it’s possible.

Long answer: I’m a novice at python in blender and I wrote a script that creates a directory on a network drive, saves your current blender file and copies it to that directory, then writes another file to the directory as well. Then the script executes another program on the network drive. So yes, blender python can read/write/copy/delete/etc… any file that is on your computer or available to your computer across a network. But python can’t over ride OS file permissions, like Linux has and I’m sure OSX has them as well. Not sure about newer windows, I’m still an xp user.

  1. 1 to 10, how paranoid should I be?

Probably about a 0. Downloaded a lot of files from here and I’ve never had a problem and I’ve never disabled python scripts. This forum is more about helping each other and the whole open source software mind set of sharing and not hating. If someone wrote a malicious python script in a .blend file and posted it, I’m sure some other user that opened the file would figure it out and post about it.

In my time here, the worst things I have seen on this site is 2 cases of model theft…

Randy