To avoid the execution of Python commands that can arbitrarily call operating system commands during file load, we implemented a Python sandbox. It can be configured in Preferences > Script. By default, the sandbox is enabled, blocking the following operations:
If a Python script contained in a project file tries to process one of these operations, a warning dialog is displayed. The operation can then manually be allowed or blocked.
If Apply this action to all future instances is selected, it applies the selected action to all subsequent occurrences of the same command.
Selecting the action, Allow for this project, allows the operation until a new scene is called or another project file is loaded.
Selecting Don’t execute blocks the operation and a Python exception is thrown.
Use the Script preferences to enable, disable, or configure the Python sandbox.
Enable Python Sandbox - Use to enable or disable the Python sandbox. When the sandbox is disabled, no restrictions are in place for script execution. When enabled, creating new network connections in Python scripts, providing file system access through Python IO modules, and starting new processes are blocked.
Advanced Search - Use for configuring exceptions. When enabled, VRED will check Allowed Functions for any added functions and Allowed Modules for any added modules exceptions.
If socket is added to the allowed list, all functions provided by the socket module are no longer blocked.
If socket.getaddrinfo is added to the list of allowed functions, then only the function, getaddrinfo, provided by the socket module, is no longer blocked.
The allowed modules exception can also be used to exclude custom Python modules from the Python sandbox.
In addition to the preferences, the sandbox can also be controlled with command line options and an environment variable.
-insecure_python to completely switch off the sandbox.-force_secure_python to force the sandbox to be switched on.VRED_SECURE_PYTHON, to force the sandbox to be switched on.