Not now, but eventually sure, I'll add some way for user to decide. I am very aware of the potential security problem, which is why these scripts are not run by Python interpreter. But then the callables may eventually calls Python code, so there is still risk there. I did block the usual hazardous Python built-in calls like eval and stuff, and also put user configurable restriction on which Python modules can be imported.
BOM (Bill Of Materials) function
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
Be nice to others! Read the FreeCAD code of conduct!
-
- Veteran
- Posts: 2190
- Joined: Tue Jan 03, 2017 10:55 am
Re: BOM (Bill Of Materials) function
Re: BOM (Bill Of Materials) function
Came here because this Topic was linked from a help request.
Look here https://forum.freecadweb.org/viewtopic. ... 10#p282734 to see my attempt of a BOM with the new Reporting workbench. https://forum.freecadweb.org/viewtopic.php?f=9&t=33403
I think this is a pretty flexible approach. Doesn't really matter how the document is structured. The right SQL Statement should get as much information out of the model as needed.
Hope this might be useful for some of you
Look here https://forum.freecadweb.org/viewtopic. ... 10#p282734 to see my attempt of a BOM with the new Reporting workbench. https://forum.freecadweb.org/viewtopic.php?f=9&t=33403
I think this is a pretty flexible approach. Doesn't really matter how the document is structured. The right SQL Statement should get as much information out of the model as needed.
Hope this might be useful for some of you
Re: BOM (Bill Of Materials) function
I would like an option to not open scripted/spreadsheet files, so if I happen to click on one from a user it won't open.
Re: BOM (Bill Of Materials) function
What do you mean by "scripted/spreadsheet files"? And what does it have to do with BOM?
-
- Posts: 16
- Joined: Tue Sep 05, 2017 2:03 am
Re: BOM (Bill Of Materials) function
They're concerned with security implications (malware). Consider a feature like this as seen in Microsoft Excel:
And:
IIRC these warnings are based on the location/origin of the file. Doesn't seem worth it to me to support such things, though maybe there is some python gizmo (e.g. sandboxing) which will safely handle such risks.
Spreadsheets in the cloud (Google Sheets & Microsoft equivalent) don't have access to the local file system but have permissions based access to other stuff in the cloud (per popup queries per their cloud API). All this is beyond my head/interest so don't take what I say as irrefutable truth.
Re: BOM (Bill Of Materials) function
This is true. Macros in Spreadsheets are Pretty bad.
But I don't exactly know what the security benefits are of disabling Files with spreadsheets in them. Spreadsheets are a core feature of FreeCAD. If it is possible to write a FreeCAD File with a spreadsheet in it, that deletes all files on a disk, this should be fixed. But what makes a FreeCAD File with a Spreadsheet different to any other Spreadsheet FreeCAD File? Why is a Spreadsheet less truthworthy than lets say a simple Expression in a Sketcher Constraint? So one has to trust the FreeCAD core Code (including Spreadsheets). Otherwise one should not install FreeCAD at all (just my opinion).
For Scripted files it is the same. If a FreeCAD File contains a Object form a thirdparty workbench, and the workbench is not installed on my PC. Nothing should ever get executed when I open such a file. And when I install a thirdparty workbench, I have to trust the Code inside it. And then it does not matter when I open a File containing such an object.
Edit: fixed some typos
But I don't exactly know what the security benefits are of disabling Files with spreadsheets in them. Spreadsheets are a core feature of FreeCAD. If it is possible to write a FreeCAD File with a spreadsheet in it, that deletes all files on a disk, this should be fixed. But what makes a FreeCAD File with a Spreadsheet different to any other Spreadsheet FreeCAD File? Why is a Spreadsheet less truthworthy than lets say a simple Expression in a Sketcher Constraint? So one has to trust the FreeCAD core Code (including Spreadsheets). Otherwise one should not install FreeCAD at all (just my opinion).
For Scripted files it is the same. If a FreeCAD File contains a Object form a thirdparty workbench, and the workbench is not installed on my PC. Nothing should ever get executed when I open such a file. And when I install a thirdparty workbench, I have to trust the Code inside it. And then it does not matter when I open a File containing such an object.
Edit: fixed some typos
Last edited by furti on Sat Feb 02, 2019 7:29 am, edited 1 time in total.
Re: BOM (Bill Of Materials) function
In Excel it is possible to execute arbitrary code with its VBA or VSTO programming facilities. So every Excel sheet can be an individual program. there is no distinction between program and data files (except by the filename extension). In FreeCAD arbitrary python code has been banned from being embedded in simple models for that very reason. So you have a distinction between the program (FreeCAD) and data (FreeCAD model files).
With this architecture you can always trust the data and you only have to validate the program once.
With this architecture you can always trust the data and you only have to validate the program once.
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
Re: BOM (Bill Of Materials) function
Unlike excel, there is no scripting possible in FreeCAD spreadsheets, nor in any other part of a FreeCAD file. It's often confusing because FreeCAD has a "macros" feature, but it's very different than Excel macros, and it is not possible to embed macros inside a FreeCAD file, exactly for that same security reasons. *EDIT* Oops just repeating what chrisb said...
Re: BOM (Bill Of Materials) function
Likely comments are related to this discussion:
https://forum.freecadweb.org/viewtopic.php?f=3&t=30731
And somehow likely some thought Reporting workbench is embedding Python code in Spreadsheet.