Can "Addon 'A' " access/read preference settings from "Addon 'B' " (security question)?

Made a script which will log alittle render info and send off an email once a render is complete. As of now email username, pwd, smtp, etc. are hard coded but i would like to turn this into an Addon and make it public.

I have a concern, the ability for people to script something which will “steel” email usernames and passwords.

So… is it possible to write an addon or script which you can read preference info or class variables from a different script or addon ?

Figure worst case if it is possible (gut felling says it is), ill post the script with a warning and re-write some things to make it easy to make a quick edit to make custom variable names to make it more secure.

Thanks for any insight.

[EDIT]
@stephen_leger Thank you for the fast responce.
I tested this and the code works fine (Blender 2.81)
Would the following be secure for a public script ?

import random

the_alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
randomVarEmail = ''
for x in range(0, 5):
    randomVarEmail = randomVarEmail + random.choice(the_alphabet)
    
print(randomVarEmail)

# You need to edit this to your own info...
randomVarEmail = {
    'gmail_userName': '[email protected]',
    'gmail_password': 'bla',
    'smtp_addy': 'smtp.gmail.com',
    'smtp_port': 587,
    'mailTo': ['[email protected]', '[email protected]'],
    'subject_pre': 'Blender Render: '
        }
 
print(randomVarEmail['gmail_userName']) 

Yes it is possible, and easy.

Figured so. Thank you.

I tested this and the code works fine (Blender 2.81)
Would the following be secure for a public script ?

import random

the_alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
randomVarEmail = ''
for x in range(0, 5):
    randomVarEmail = randomVarEmail + random.choice(the_alphabet)
    
print(randomVarEmail)

# You need to edit this to your own info...
randomVarEmail = {
    'gmail_userName': '[email protected]',
    'gmail_password': 'bla',
    'smtp_addy': 'smtp.gmail.com',
    'smtp_port': 587,
    'mailTo': ['[email protected]', '[email protected]'],
    'subject_pre': 'Blender Render: '
        }
 
print(randomVarEmail['gmail_userName']) 

nope,
from youraddonname import randomVarEmail
print(randomVarEmail)
Crypto won’t be of any help here too as whatever your code do, anyone may do the same to revert back.

Bla… and to think i was clever :slight_smile:

So the only real way to make this a public script would be with a ‘warning’ and let people know they will have to do a ‘find and replace’ the variable name with one of their own choice ?

Thanks again…

And even like that, given a set of known variables you may explore other ones in the scope.

Obviously a script like this is not earth shattering and the masses really don’t need it, but im intrigued now. What do you mean ?

The following is the sender function:

def sendEmail(message, subject):
    
    try:
        s = smtplib.SMTP(changeAllTheseVarNames['smtp_addy'], changeAllTheseVarNames['smtp_port'])
        s.starttls()
    except:
        sendEmailErrorToLog(message, suj_Lang['ErrEmail_SMTP'])
        s.quit()
        return
    
    
    try:
        s.login(changeAllTheseVarNames['gmail_userName'], changeAllTheseVarNames['gmail_password']) 
    except:
        sendEmailErrorToLog(message, suj_Lang['ErrEmail_UsrPwd'])
        s.quit()
        return


    email_text = """\
Subject: %s

%s
""" % (subject, message)

    try:
        s.sendmail(changeAllTheseVarNames['gmail_userName'], changeAllTheseVarNames['mailTo'], email_text)
        if _writeToLog == 1 :
            logToFile(suj_Lang['EmailSent'])
            logToFile("======================")
            logToFile(" ")
    except:
        sendEmailErrorToLog(message, suj_Lang['ErrEmail_MISC'])
        
    s.quit()

So with that, im gonna assume if a person new the ‘smtplib’ library, they could get what ever info they wanted after i pass it ?

As “attacker” will try to get your “customized” vars before the smpt call.

import your_addon as my_addon
all_vars_names = dir(my_addon)

also keep in mind that we are able to read source of python file and parse using some regexp.

Ahh… The regexp should have been obvious.
Thanks for all the info.

When might this addon be released? It looks useful. Thanks

Because of the security risk I’m sorry to say this script will not go public.

Is there not a website or something you can send your info to and get it back encrypted?

Have no idea and do not know enough about security (hence the thread) like this. Im not gonna post something knowing people could be at risk and for what this addon is, sorry to say, im not gonna look farther into it… Not like this is some special addon or ground breaking.

Thanks for the thought thow.

ignoring for a moment that if someone is desperate enough to get into your code they will find a way…

why not just write your secure stuff as an external executable and simply use python to launch it. that way the amateur hackerman can peruse your plain text python scripts as much as they like

1 Like

Understood and agree, if there is a will there is a way.

Thanks for the idea. Glad people popped in with their experience and ideas.