PainShop Pro Scripting - A word of warning...

Author

A word of warning...

Howard Dickson

2006-06-27, 9:08 pm

Folks,

Until recently, during our little text adventure, I wasn't aware that
Python shipped with a module (winreg) which could be imported to any
script, and used to interrogate the Windows registry.

This side of things I can see as being very useful to extract certain
Windows settings. However, the downside is that not only can it read
data, but it can also write and change data in ANY registry key.

This is potentially a major security issue!

I won't for obvious reasons post an example.

I mention this, just to make you aware of the security implications of
using scripts sourced from an unknown author, without first checking its
content.

If you are at all concerned, you should check the top of the script for
this line...

import _winreg

This loads the module which allows code to be added to access the
registry. If this line is there, you should check with the author what
is being accessed, and what he/she is using it for.

Just thought I'd give you all a heads up.

Rgds,
Howard
--

---oooOOOooo---

Sheilsoft
ComputerSystems

www.sheilsoft.com

---oooOOOooo---

Catlady

2006-06-27, 9:08 pm

thanks Howard!

"Howard Dickson" <howard@REMOVEsheilsoft.com> wrote in message
news:448c3970$1_1@cnews...
Folks,

Until recently, during our little text adventure, I wasn't aware that
Python shipped with a module (winreg) which could be imported to any
script, and used to interrogate the Windows registry.

This side of things I can see as being very useful to extract certain
Windows settings. However, the downside is that not only can it read
data, but it can also write and change data in ANY registry key.

This is potentially a major security issue!

I won't for obvious reasons post an example.

I mention this, just to make you aware of the security implications of
using scripts sourced from an unknown author, without first checking its
content.

If you are at all concerned, you should check the top of the script for
this line...

import _winreg

This loads the module which allows code to be added to access the
registry. If this line is there, you should check with the author what
is being accessed, and what he/she is using it for.

Just thought I'd give you all a heads up.

Rgds,
Howard
--

---oooOOOooo---

Sheilsoft
ComputerSystems

www.sheilsoft.com

---oooOOOooo---

SuzShook

2006-06-27, 9:08 pm

And as a further warning - that import _winreg can be *anywhere* in the
script - it doesn't have to be at the top! So it's doubly important to
questions why script writers request that their scripts run from a Trusted
folder. Things like this can be "hidden" anywhere. That's why I hesitate
to make my scripts Trusted - I do have a few that need to run that way
because they open and save files - but as a general rule, I like to stay
away from this.

Thanks again to all who contributed to this effort - expect to see something
in the Tips & Tricks at the next update. Suz

Howard Dickson wrote:
> Folks,
>
> Until recently, during our little text adventure, I wasn't aware that
> Python shipped with a module (winreg) which could be imported to any
> script, and used to interrogate the Windows registry.
>
> This side of things I can see as being very useful to extract certain
> Windows settings. However, the downside is that not only can it read
> data, but it can also write and change data in ANY registry key.
>
> This is potentially a major security issue!
>
> I won't for obvious reasons post an example.
>
> I mention this, just to make you aware of the security implications of
> using scripts sourced from an unknown author, without first checking
> its content.
>
> If you are at all concerned, you should check the top of the script
> for this line...
>
> import _winreg
>
> This loads the module which allows code to be added to access the
> registry. If this line is there, you should check with the author what
> is being accessed, and what he/she is using it for.
>
> Just thought I'd give you all a heads up.
>
> Rgds,
> Howard

P. Caldwell

2006-06-27, 9:08 pm

Precisely why there has always been two separate scripts folders:
TRUSTED and RESTRICTED. Restricted should be used for every
script from any unknown source. Once scripts were enacted for PSP the
word of the day instantly became (and should always be), "let every
downloader beware".

Most of the scripts gobbling public wouldn't know what they were reading
if they even bothered to open a script for perusals, which they won't.
Restricted folder containment is simply good sense. You know, like
keeping those knees together and them Levi's zipped whenever strolling
around the back alleys of skid row. Just good sense.

Any time a unknown script lands outside that RESTRICTED folder and gets
itself executed? Your beloved computer has just climbed into bed totally
naked with a total stranger.

Porter

Howard Dickson wrote:
> Folks,
>
> Until recently, during our little text adventure, I wasn't aware that
> Python shipped with a module (winreg) which could be imported to any
> script, and used to interrogate the Windows registry.
>
> This side of things I can see as being very useful to extract certain
> Windows settings. However, the downside is that not only can it read
> data, but it can also write and change data in ANY registry key.
>
> This is potentially a major security issue!
>
> I won't for obvious reasons post an example.
>
> I mention this, just to make you aware of the security implications of
> using scripts sourced from an unknown author, without first checking its
> content.
>
> If you are at all concerned, you should check the top of the script for
> this line...
>
> import _winreg
>
> This loads the module which allows code to be added to access the
> registry. If this line is there, you should check with the author what
> is being accessed, and what he/she is using it for.
>
> Just thought I'd give you all a heads up.
>
> Rgds,
> Howard

Barbara J Bradley

2006-06-27, 9:08 pm

"P. Caldwell" <campratty@nomicecomcast.net> wrote in message
news:448c63b5$1_3@cnews...

> Any time a unknown script lands outside that RESTRICTED folder and
> gets
> itself executed? Your beloved computer has just climbed into bed
> totally
> naked with a total stranger.
>
> Porter
>

That is an interesting image to contemplate. :)
Barb

P. Caldwell

2006-06-27, 9:08 pm

Barbara J Bradley wrote:
> "P. Caldwell" <campratty@nomicecomcast.net> wrote in message
> news:448c63b5$1_3@cnews...
>
>
> That is an interesting image to contemplate. :)
> Barb
>

:) Hi Barb.

Spandex Rutabaga

2006-06-27, 9:08 pm

Howard Dickson wrote:

> Until recently, during our little text adventure, I wasn't aware that
> Python shipped with a module (winreg) which could be imported to any
> script, and used to interrogate the Windows registry.
>
> This side of things I can see as being very useful to extract certain
> Windows settings. However, the downside is that not only can it read
> data, but it can also write and change data in ANY registry key.
>
> This is potentially a major security issue!

You can include the os module and then you can run any program from
a script. You can format a disk, search OE address lists, ftp the
contents of a drive somewhere else, install programs, and so on.
That's why there are Restricted and Trusted folders. Do not indulge
in unprotected scripting with a stranger's scripts, ever. When in
doubt get a blood test by opening the script in a text editor and
looking at what it does. If you can't tell what it does seek medical
advice from a scripting expert. This is the real world and it's ugly
(except the part with vegetables in it, of course).
http://docs.python.org/lib/allos.html

Fabrice Roux

2006-06-27, 9:08 pm

Well nothing new here... to be really evil... you can launch a Python based
BitTorrent client on the target, make it download Corel Warez, rat about
the "pirate" to Corel and get a couple of free licences. :)

ps: you can do the same with a pirate iTunes songs sharing service to get a
couple of free iPods. :)

--
Fabrice Roux aka [RS]Faramir_agst
PaintShop Pro and Tribes scripts
http://www.fabriceroux.com

Barbara J Bradley

2006-06-27, 9:08 pm

"P. Caldwell" <campratty@nomicecomcast.net> wrote in message
news:448c7535$1_2@cnews...
> Barbara J Bradley wrote:
>
> :) Hi Barb.

Barbara J Bradley

2006-06-27, 9:08 pm

"P. Caldwell" <campratty@nomicecomcast.net> wrote in message
news:448c7535$1_2@cnews...
> Barbara J Bradley wrote:
>
> :) Hi Barb.

Glad to see you pop in so I know you are still there!
Barb

JoeB

2006-06-27, 9:08 pm

"P. Caldwell" <campratty@nomicecomcast.net> wrote in
news:448c63b5$1_3@cnews:

> Precisely why there has always been two separate scripts
folders:
> TRUSTED and RESTRICTED. Restricted should be used for every
> script from any unknown source. Once scripts were enacted for
PSP the
> word of the day instantly became (and should always be), "let
every
> downloader beware".
>
> Most of the scripts gobbling public wouldn't know what they
were
> reading if they even bothered to open a script for perusals,
which
> they won't.
> Restricted folder containment is simply good sense. You
know, like
> keeping those knees together and them Levi's zipped whenever
strolling
> around the back alleys of skid row. Just good sense.
>
> Any time a unknown script lands outside that RESTRICTED folder
and
> gets itself executed? Your beloved computer has just climbed
into bed
> totally naked with a total stranger.
>
> Porter
>

You sure do know how to bring an issue to the forefront, Porter.
Now .... back to searching out these totally naked strangers
inhabiting my computer! :-)

Regards,

JoeB

[snipped]

Kim

2006-08-02, 12:10 pm

Help please? I am new to the group and also to checking out the awesome
scripts that everyone here has done. But I'm scared now as to what may have
invaded my computer...

What is the difference between the restricted and trusted folders? I mean,
I know the difference but in downloading to one folder or another what's the
difference? How does the computer know the difference? I apologize for
being stupid but I want to make sure I'm doing things right here.

Thanks for helpful replies..

Kim

"Howard Dickson" <howard@REMOVEsheilsoft.com> wrote in message
news:448c3970$1_1@cnews...
> Folks,
>
> Until recently, during our little text adventure, I wasn't aware that
> Python shipped with a module (winreg) which could be imported to any
> script, and used to interrogate the Windows registry.
>
> This side of things I can see as being very useful to extract certain
> Windows settings. However, the downside is that not only can it read data,
> but it can also write and change data in ANY registry key.
>
> This is potentially a major security issue!
>
> I won't for obvious reasons post an example.
>
> I mention this, just to make you aware of the security implications of
> using scripts sourced from an unknown author, without first checking its
> content.
>
> If you are at all concerned, you should check the top of the script for
> this line...
>
> import _winreg
>
> This loads the module which allows code to be added to access the
> registry. If this line is there, you should check with the author what is
> being accessed, and what he/she is using it for.
>
> Just thought I'd give you all a heads up.
>
> Rgds,
> Howard
> --
>
> ---oooOOOooo---
>
> Sheilsoft
> ComputerSystems
>
> www.sheilsoft.com
>
> ---oooOOOooo---

Spandex Rutabaga

2006-08-02, 12:10 pm

Kim wrote:
>
> Help please? I am new to the group and also to checking out the awesome
> scripts that everyone here has done. But I'm scared now as to what may have
> invaded my computer...

It is extremely unlikely anything has "invaded" your computer.

> What is the difference between the restricted and trusted folders?

Scripts for PSP are written in a computer language called Python.
PSP is created to understand Python statements and use them to
execute PSP commands in much the same way you would use menu items
or tools in PSP by hand. However, Python is a general programming
language that allows you to all sorts of other things, not just
executing PSP commands. For example, you could use it for text
processing or for doing math. One thing you can use it for is to
execute operating system commands. The capabilities are quite
extensive. You could create and delete files or folders, you could
format hard disks, your could execute other programs, you could
contact and send information to other computers, and so on.

Because of this and to protect you, most scripts should be placed
in the Restricted folders. In such a location when PSP encounters
anything that is outside the scope of PSP commands it will refuse
to execute the script, so protecting you from any potential bad
stuff. Exceptions to this rule are scripts that need to write or
delete files as part of what they do. Because they access files
PSP will not run them when they are in the Restricted folders.
Such scripts should be put in the Trusted folders. Only place
scripts in the Trusted folders if you know the source of the script
and you trust that source or if you have looked inside the script
yourself to make sure nothing naughty is going on.

With all that said, I have never heard of a PSP script actually
doing something naughty in real life (as opposed to what is
possible in theory). I haven't heard of my house burning down
either. Nonetheless, just in case, I have smoke detectors and
carry insurance. Think of Restricted and Trusted folders in that
way.

> I mean,
> I know the difference but in downloading to one folder or another what's the
> difference?

Restricted can't execute any naughty stuff. Just because a
script is in the Trusted folder doesn't mean it will actually
do anything naughty. A naughty script, like a virus or other
malware, shouldn't be anywhere in any folder on your computer :)

> How does the computer know the difference?

PSP know what folders are to be treated how based on how the
File Locations for scripts are specified in File > Preferences.
If there is any doubt or ambiguity PSP will play it safe and
treat the folder as Restricted.

> I apologize for
> being stupid but I want to make sure I'm doing things right here.

Not knowing about scripts doesn't make you stupid. It only makes
you ignorant about scripts, a condition that affected all of us
at one time or another :)

> Thanks for helpful replies..
>
> Kim

Kim

2006-08-02, 12:10 pm

Thank you very much Spandex, your reply helped me understand so much!!

Kat

"Spandex Rutabaga" <SpRu@agabatur.xednaps> wrote in message
news:44CA9B06.CA297A36@agabatur.xednaps...[color=darkred]
> Kim wrote:
>
> It is extremely unlikely anything has "invaded" your computer.
>
>
> Scripts for PSP are written in a computer language called Python.
> PSP is created to understand Python statements and use them to
> execute PSP commands in much the same way you would use menu items
> or tools in PSP by hand. However, Python is a general programming
> language that allows you to all sorts of other things, not just
> executing PSP commands. For example, you could use it for text
> processing or for doing math. One thing you can use it for is to
> execute operating system commands. The capabilities are quite
> extensive. You could create and delete files or folders, you could
> format hard disks, your could execute other programs, you could
> contact and send information to other computers, and so on.
>
> Because of this and to protect you, most scripts should be placed
> in the Restricted folders. In such a location when PSP encounters
> anything that is outside the scope of PSP commands it will refuse
> to execute the script, so protecting you from any potential bad
> stuff. Exceptions to this rule are scripts that need to write or
> delete files as part of what they do. Because they access files
> PSP will not run them when they are in the Restricted folders.
> Such scripts should be put in the Trusted folders. Only place
> scripts in the Trusted folders if you know the source of the script
> and you trust that source or if you have looked inside the script
> yourself to make sure nothing naughty is going on.
>
> With all that said, I have never heard of a PSP script actually
> doing something naughty in real life (as opposed to what is
> possible in theory). I haven't heard of my house burning down
> either. Nonetheless, just in case, I have smoke detectors and
> carry insurance. Think of Restricted and Trusted folders in that
> way.
>
>
> Restricted can't execute any naughty stuff. Just because a
> script is in the Trusted folder doesn't mean it will actually
> do anything naughty. A naughty script, like a virus or other
> malware, shouldn't be anywhere in any folder on your computer :)
>
>
> PSP know what folders are to be treated how based on how the
> File Locations for scripts are specified in File > Preferences.
> If there is any doubt or ambiguity PSP will play it safe and
> treat the folder as Restricted.
>
>
> Not knowing about scripts doesn't make you stupid. It only makes
> you ignorant about scripts, a condition that affected all of us
> at one time or another :)
>

Doodles

2006-09-24, 7:18 pm

Thank you for this great explanation. I only included part of it when
replying to shorten the post. It was clear and concise and appreciated.
--
Barbara
"Spandex Rutabaga" <SpRu@agabatur.xednaps> wrote in message
news:44CA9B06.CA297A36@agabatur.xednaps...
> Kim wrote:
>
> It is extremely unlikely anything has "invaded" your computer.