There is a basic web browser inside Houdini, very useful for browsing the documentation, studio tools or Houdini’s store, but it shouldn’t be used for anything else:
The browser communicate with Houdini and can launch Python code directly from a webpage, it can be extremely useful to create tools and that’s how I actually manage the auto-installation of my Houdini tools.
But this makes a direct entry to your computer with Houdini’s rights. Any website can access all your files, steal all your logins info and more without you knowing it happened… Just by opening a URL or a Houdini file. It’s a big vulnerability and that’s why you need to be very conservative about what website you visit.
I did a little proof of concept to demonstrate it, just open this website inside Houdini’s Help Browser. You can download the code and test it on your own server if you don’t trust it (as you should).
A few things that could be done from SideFX to mitigate the problem:
There is a setting that seems to disable that functionality here: Edit > Preferences > Miscellaneous and check Restrict Web Browser to Safe Commands, but it’s not working for me in Houdini 20.5.
You could create a phishing website copying Houdini’s help and replacing the user’s default help URL with it:
hou.setPreference('misc.externalhelpurl.val', 'https://houdini-browser-hack.netlify.app')
hou.setPreference('misc.useexternalhelp.val', '1')
desktop = hou.ui.curDesktop()
pane = desktop.createFloatingPane(hou.paneTabType.HelpBrowser)
Tip: You can use the HOUDINI_EXTERNAL_HELP_BROWSER environment variable to open your default OS browser instead of the embedded Help Browser. You won’t be able to use the buttons on the webpage to load Houdini’s help files though.