[Bf-committers] Keymaps and presets - Security issues?
Diego Gangl
dnicolas at gmail.com
Wed Jun 10 01:59:00 CEST 2015
Hi guys,
There's something that's been on my mind recently, keymaps and presets are
python files that run whatever code is in them everytime they are used.
I tried pasting this code in the middle of a keymap file:
from subprocess import Popen
Popen('touch ~/boo.test', shell=True)
and sure enough the file boo.test is created. Are there any limitations, or
checks when running these files? Because it looks like it would be easy for
someone to hide malicious code in there (not trying to sound like RMS :) )
Presets/keymaps are often shared online, and users can't be expected to
inspect these files for evilness. Why not use json or some other data
format?
Cheers!
More information about the Bf-committers
mailing list