[Bug/Issue/Cyber Security Flaw?] Grasshopper canvas color mysteriously changed!?

Rhino Rhino for Mac
1

Hi,

Yesterday evening, while opening a GH file from the internet, specifically GitHub, my Grasshopper changed its background color to mouse grey?

Before (default):

Screenshot 2020-09-08 at 19.24.13
Screenshot 2020-09-08 at 19.24.131159×509 116 KB

Now:

Screenshot 2020-09-09 at 08.47.17
Screenshot 2020-09-09 at 08.47.171006×446 79.7 KB

  1. How can it be that an individual GH file can permanently mess with your program layout? This opens up a huge potential for trolling people!

  2. If custom layouts are allowed, which on an individual level seems fair - what do I care if John Doe wants to “mod” his Grasshopper-, why doesn’t Grasshopper roll back to the local default, once you close the file in question? Why do these changes stay permanent?

  3. There doesn’t seem to be a Restore Defaults option in the Grasshopper Preferences, so how the heck do I get the default canvas back?

  4. How big of a liability security-wise are GH files, when sharing or downloading them (i.e. hidden viruses, trojans, encryption schemes, etc.)?

Thanks.

2

Completely unsafe.

Yes

Restart GH generally resolves that, you may also need to remove GH’s settings files.

Because there’re too many values that can be changed. Due to the fact that GH is a .NET app, basically everyone can change everything.

2 Likes
3

Nope, I mean it doesn’t roll back on restart.

4

That means you need to reset GH’s setting file.

5

Wow, that’s f-ed up. :face_with_raised_eyebrow:

6

:thinking: Or just change the background color back to what you want?

7

Sure, but I don’t know what the default value was.

8

Anybody else? @John_Brock, @dan?

9

I have not modified the defaults, and I’m looking at grasshopper_gui.xml:

<item name="canvas_backcolor" type_name="gh_drawing_color" type_code="36">
      <ARGB>255;212;208;200</ARGB>
</item>

The path to that file is:
~/Library/Application Support/McNeel/Rhinoceros/ver/Plug-ins/Grasshopper ([big-long-guid])/grasshopper_gui.xml

Grasshopper ought to write that file again if it gets deleted…so, if you haven’t modified the defaults, it would be safe to delete as a reset.

If you are asking in general about the topic subject, then yes, @gankeyu’s assessment above seems correct. Use at your own risk.

2 Likes
10

Thanks.

Good to know! :slight_smile:

Would you maybe consider giving the option to roll back to a default layout (without restart)? Could be as simple as a little button under Grasshopper>Preferences>Palette or wherever you deem best.

What’s weird is that your default color is still a little different than my original one (and I can’t remember changing it since Rhino 5 at least). Whatever thanks!

11

I think it’s a good idea. Something like it was already on our TODO list:

RH-51682 Grasshopper: Preferences: Restore Defaults button needed

and I’ve amended it a little to cover this request.

(I know it’s lame there’s a component out there that messes with your settings files.)

1 Like
12

Before I open a downloaded definition I always disable the solver and search for hidden C#,Python and VB script components. Always! I read any script component before I run. I think there should be a notification for any user and a function to list all script components, because I believe many are not aware of the security flaws

1 Like
13

Yes, I see, but that’s seems tremendously time consuming. Also a lot people are not really that familiar with the scripting languages, I mean, to understand what it exactly is that the code does.
Your idea with the notifications seems like a double edged sword though. Sure this would alert users, but then “compiled” third-party components should also trigger a notification - since also prone to being harmful -, and then all you deal with are security notifications, since many people use a lot of plugins.

14

Usually it is not. The component searchbar finds by component type. Most definitions have no or very small scripts within. I’m not trying to understand anything entirely but I’m looking for unusual calls and using/imports. Actually that could do a scanning routine to some extend. But yes many user cannot do this, I’m just saying it should notify any user that downloading and executing a downloaded script is always a high security risk. I don’t know if most people are aware of this fact.