(Unneccessarily) restricted execution in scripted expression drivers (using e.g. "self", "bpy.data") #106372

New Issue

Open

opened 2023-03-31 12:15:42 +02:00 by John Sinyard · 11 comments

John Sinyard commented

2023-03-31 12:15:42 +02:00

System Information
Operating system: Linux-5.15.0-69-generic-x86_64-with-glibc2.35 64 Bits
Graphics card: Mesa Intel(R) HD Graphics 4600 (HSW GT2) Intel 4.6 (Core Profile) Mesa 22.2.5

Blender Version
Broken: version: 3.5.0, branch: blender-v3.5-release, commit date: 2023-03-29 02:56, hash: 1be25cfff18b
Worked: (newest version of Blender that worked as expected)

Short description of error
self causes error in scripted expression drivers

Exact steps for others to reproduce the error
In scripted expression drivers using expression "self.location.x" from Blenders manual and "self.location[0]" from online examples both fail with "ERROR: Invalid Pythpn expression".
I have enabled "Use Self" in driver and "Auto Run Python Scripts" in preferences

**System Information** Operating system: Linux-5.15.0-69-generic-x86_64-with-glibc2.35 64 Bits Graphics card: Mesa Intel(R) HD Graphics 4600 (HSW GT2) Intel 4.6 (Core Profile) Mesa 22.2.5 **Blender Version** Broken: version: 3.5.0, branch: blender-v3.5-release, commit date: 2023-03-29 02:56, hash: `1be25cfff18b` Worked: (newest version of Blender that worked as expected) **Short description of error** self causes error in scripted expression drivers **Exact steps for others to reproduce the error** In scripted expression drivers using expression "self.location.x" from Blenders manual and "self.location[0]" from online examples both fail with "ERROR: Invalid Pythpn expression". I have enabled "Use Self" in driver and "Auto Run Python Scripts" in preferences

John Sinyard added the

labels 2023-03-31 12:15:42 +02:00

Iliya Katushenock added the

Animation & Rigging

labels 2023-03-31 12:41:33 +02:00

Pratik Borhade commented

2023-04-03 14:33:54 +02:00

Member

Hi, thanks for the report. Enabling "auto execution" does fix the problem.
This error shows up because PyObject name is not found in the dictionary.
Not sure whether this is a bug or expected behavior. Forwarding to devs

Hi, thanks for the report. Enabling "auto execution" does fix the problem. This error shows up because PyObject name is not found in the dictionary. Not sure whether this is a bug or expected behavior. Forwarding to devs

Pratik Borhade added

Animation & Rigging

Needs Info from Developers

and removed

labels 2023-04-03 14:34:11 +02:00

John Sinyard commented

2023-04-03 18:50:05 +02:00

Author

Do you mean "auto execution" is the same as "Auto Run Python Scripts" in "Save & Load" in Preferences?

If so then it does not fix the problem for me

Do you mean "auto execution" is the same as "Auto Run Python Scripts" in "Save & Load" in Preferences? If so then it does not fix the problem for me

Iliya Katushenock referenced this issue

2023-05-10 22:55:43 +02:00

"Use Self" not working in Driver Expressions #107821

Sybren A. Stüvel commented

2023-05-19 15:01:11 +02:00

Member

I cannot reproduce this issue. Please attach an example blend file.

Counter-example: here's a bone that has a driver to make it rotate when you move it in the X-direction. It uses self.location.x as the Python expression: 106372-self-in-drivers.blend

I cannot reproduce this issue. Please attach an example blend file. Counter-example: here's a bone that has a driver to make it rotate when you move it in the X-direction. It uses `self.location.x` as the Python expression: [106372-self-in-drivers.blend](/attachments/5c66d356-064b-495d-bccb-2e0fee7cc8ba) ![image](/attachments/910c8b4a-3789-405b-85af-eefbc78d8cfe)

106372-self-in-drivers.blend

100 KiB

34 KiB

Sybren A. Stüvel added

Needs Information from User

and removed

Needs Info from Developers

labels 2023-05-19 15:01:33 +02:00

Pratik Borhade commented

2023-05-19 16:04:29 +02:00

Member

@dr.sybren , same error in your file too.
Guess "auto run python script" is enabled in your case (disable it and see if that reports the error)
Also uploaded a new test file.

@dr.sybren , same error in your file too. Guess "auto run python script" is enabled in your case (disable it and see if that reports the error) Also uploaded a new test file. ![image](/attachments/4eadd069-9f54-4d7d-9ae9-771e44ae0c50)

106372.blend

881 KiB

64 KiB

Pratik Borhade commented

2023-05-25 07:05:14 +02:00

Member

resetting the status until @dr.sybren confirm this ;)

resetting the status until @dr.sybren confirm this ;)

Pratik Borhade added

and removed

Needs Information from User

labels 2023-05-25 07:05:24 +02:00

Sybren A. Stüvel commented

2023-06-01 17:34:27 +02:00

Member

Nope, this is with auto-execute disabled. I'm simply not seeing that error. At least not on current main, 35ca8bd80f352de4a8169756d4481c5765b1b91a

Nope, this is with auto-execute disabled. I'm simply not seeing that error. At least not on current `main`, `35ca8bd80f352de4a8169756d4481c5765b1b91a`

Iliya Katushenock removed the

Animation & Rigging

label 2023-06-21 15:14:26 +02:00

Philipp Oeser commented

2023-06-23 12:46:45 +02:00

Member

I can see that warning as well as well opening the files

If I choose Ignore instead of Allow Execution, the mentioned error ("Invalid python expression") stays.

Also seeing this in the console:
BPY_driver_exec: restricted access disallows name 'location', enable auto-execution to support

This is true btw. not only when using self, you could also use something like bpy.data.objects["Light"].location[0] and get the same security mechanism kick in [the system to whitelist only a couple of terms was set up in 2ceff8bd63 btw.]
Isnt this all expected behavior then?

Now the question is : should we add a whole lot more to the whitelist?
Why would something in bpy.data for example be a security issue? I dont know.
(and same for self, yes).

Codewise, this is working as intended (so not neccessarily a bug), would still be nice to hear opinions from @dr.sybren , @ideasman42 .

I can see that warning as well as well opening the files ![image](/attachments/294316e5-462e-4bf6-8424-8c7a81976c47) If I choose `Ignore` instead of `Allow Execution`, the mentioned error ("Invalid python expression") stays. Also seeing this in the console: `BPY_driver_exec: restricted access disallows name 'location', enable auto-execution to support` This is true btw. not only when using `self`, you could also use something like `bpy.data.objects["Light"].location[0]` and get the same security mechanism kick in [the system to whitelist only a couple of terms was set up in 2ceff8bd6325 btw.] Isnt this all expected behavior then? Now the question is : should we add a whole lot more to the whitelist? Why would something in `bpy.data` for example be a security issue? I dont know. (and same for `self`, yes). Codewise, this is working as intended (so not neccessarily a bug), would still be nice to hear opinions from @dr.sybren , @ideasman42 .

19 KiB

Philipp Oeser added

Needs Info from Developers

Animation & Rigging

and removed

labels 2023-06-23 12:47:08 +02:00

Philipp Oeser changed title from ~~self causes error in scripted expression drivers~~ to (Unneccessarily) restricted execution in scripted expression drivers (using e.g. "self", "bpy.data")

2023-06-23 12:48:36 +02:00

Sybren A. Stüvel commented

2023-06-23 14:18:43 +02:00

Member

I can see that warning as well as well opening the files

So this doesn't say "Invalid python expression".

If I choose Ignore instead of Allow Execution, the mentioned error ("Invalid python expression") stays.

I still have never seen that "Invalid python expression" message. Also it makes sense that the Python expression is not working properly when Python execution has been denied.

Also seeing this in the console:
BPY_driver_exec: restricted access disallows name 'location', enable auto-execution to support

That is still expected, when there are drivers that require Python but the user did not allow Python.

Now the question is : should we add a whole lot more to the whitelist?
Why would something in bpy.data for example be a security issue? I dont know.

That would allow things like D.texts['Text'].as_module(), i.e. running arbitrary text blocks in the same blend file.

(and same for self, yes).

I think self might be better suited to be allowed, but then again most properties of self can already be put into a variable. Just because it's possible to use self.location.x in a driver expression doesn't mean that you should. Using proper driver variables makes the depsgraph understand which properties are being accessed & influenced; without that, it's very simple to create buggy blend files.

> I can see that warning as well as well opening the files > > ![image](/attachments/294316e5-462e-4bf6-8424-8c7a81976c47) So this doesn't say "Invalid python expression". > If I choose `Ignore` instead of `Allow Execution`, the mentioned error ("Invalid python expression") stays. I still have never seen that "Invalid python expression" message. Also it makes sense that the Python expression is not working properly when Python execution has been denied. > Also seeing this in the console: > `BPY_driver_exec: restricted access disallows name 'location', enable auto-execution to support` That is still expected, when there are drivers that require Python but the user did not allow Python. > Now the question is : should we add a whole lot more to the whitelist? > Why would something in `bpy.data` for example be a security issue? I dont know. That would allow things like `D.texts['Text'].as_module()`, i.e. running arbitrary text blocks in the same blend file. > (and same for `self`, yes). I think `self` might be better suited to be allowed, but then again most properties of `self` can already be put into a variable. Just because it's possible to use `self.location.x` in a driver expression doesn't mean that you should. Using proper driver variables makes the depsgraph understand which properties are being accessed & influenced; without that, it's very simple to create buggy blend files.

Philipp Oeser commented

2023-06-23 14:47:54 +02:00

Member

I can see that warning as well as well opening the files

So this doesn't say "Invalid python expression".

Yes, it does

> > I can see that warning as well as well opening the files > > > > ![image](/attachments/294316e5-462e-4bf6-8424-8c7a81976c47) > > So this doesn't say "Invalid python expression". Yes, it does ![image](/attachments/5a8eb800-d8e9-445f-bb68-29eb4869943e)

29 KiB

Philipp Oeser commented

2023-06-23 15:01:52 +02:00

Member

we could simply do this (swap the order of error messages)



diff --git a/source/blender/editors/space_graph/graph_buttons.c b/source/blender/editors/space_graph/graph_buttons.c
index 243b09583e6..3f90110dae7 100644
--- a/source/blender/editors/space_graph/graph_buttons.c
+++ b/source/blender/editors/space_graph/graph_buttons.c
@@ -1056,10 +1056,7 @@ static void graph_draw_driver_settings_panel(uiLayout *layout,
     col = uiLayoutColumn(layout, true);
     block = uiLayoutGetBlock(col);
 
-    if (driver->flag & DRIVER_FLAG_INVALID) {
-      uiItemL(col, TIP_("ERROR: Invalid Python expression"), ICON_CANCEL);
-    }
-    else if (!BKE_driver_has_simple_expression(driver)) {
+    if (!BKE_driver_has_simple_expression(driver)) {
       if ((G.f & G_FLAG_SCRIPT_AUTOEXEC) == 0) {
         /* TODO: Add button to enable? */
         uiItemL(col, TIP_("Python restricted for security"), ICON_ERROR);
@@ -1068,6 +1065,9 @@ static void graph_draw_driver_settings_panel(uiLayout *layout,
         uiItemL(col, TIP_("Slow Python expression"), ICON_INFO);
       }
     }
+    else if (driver->flag & DRIVER_FLAG_INVALID) {
+      uiItemL(col, TIP_("ERROR: Invalid Python expression"), ICON_CANCEL);
+    }
 
     /* Explicit bpy-references are evil. Warn about these to prevent errors */
     /* TODO: put these in a box? */

which would give us this [which is probably clearer?]:

we could simply do this (swap the order of error messages) ```Diff diff --git a/source/blender/editors/space_graph/graph_buttons.c b/source/blender/editors/space_graph/graph_buttons.c index 243b09583e6..3f90110dae7 100644 --- a/source/blender/editors/space_graph/graph_buttons.c +++ b/source/blender/editors/space_graph/graph_buttons.c @@ -1056,10 +1056,7 @@ static void graph_draw_driver_settings_panel(uiLayout *layout, col = uiLayoutColumn(layout, true); block = uiLayoutGetBlock(col); - if (driver->flag & DRIVER_FLAG_INVALID) { - uiItemL(col, TIP_("ERROR: Invalid Python expression"), ICON_CANCEL); - } - else if (!BKE_driver_has_simple_expression(driver)) { + if (!BKE_driver_has_simple_expression(driver)) { if ((G.f & G_FLAG_SCRIPT_AUTOEXEC) == 0) { /* TODO: Add button to enable? */ uiItemL(col, TIP_("Python restricted for security"), ICON_ERROR); @@ -1068,6 +1065,9 @@ static void graph_draw_driver_settings_panel(uiLayout *layout, uiItemL(col, TIP_("Slow Python expression"), ICON_INFO); } } + else if (driver->flag & DRIVER_FLAG_INVALID) { + uiItemL(col, TIP_("ERROR: Invalid Python expression"), ICON_CANCEL); + } /* Explicit bpy-references are evil. Warn about these to prevent errors */ /* TODO: put these in a box? */ ``` which would give us this [which is probably clearer?]: ![image](/attachments/dc7904a5-d0be-43d6-912a-13a833918b4c)

27 KiB

Sybren A. Stüvel commented

2023-06-23 15:30:06 +02:00

Member

Ah, right. Yes, that looks like a rather sensible improvement to me!

Ah, right. Yes, that looks like a rather sensible improvement to me!

Pratik Borhade referenced this issue

2024-02-15 06:26:48 +01:00

"Use Self" option for drivers throws error unless "Auto Run Python Scripts" is turned on in preferences #118274

Sign in to join this conversation.

No Label

Animation & Rigging

Asset Browser Project Overview

Automated Testing

Blender Asset Bundle

Dependency Graph

Development Management

EEVEE & Viewport

Images & Movies

Motion Tracking

Nodes & Physics

Pipeline, Assets & IO

Platforms, Builds & Tests

Render & Cycles

Render Pipeline

Sculpt, Paint & Texture

Video Sequencer

Virtual Reality

Blender 2.8 Project

Milestone 1: Basic, Local Asset Browser

Good First Issue

Animation & Rigging

Development Management

EEVEE & Viewport

Nodes & Physics

Pipeline, Assets & IO

Platforms, Builds & Tests

Render & Cycles

Sculpt, Paint & Texture

Needs Info from Developers

Needs Information from User

No Milestone

No project

No Assignees

4 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#106372

No description provided.