[Bf-committers] Keymaps and presets - Security issues?
Campbell Barton
ideasman42 at gmail.com
Wed Jun 10 06:33:40 CEST 2015
On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <dnicolas at gmail.com> wrote:
> Hi guys,
>
> There's something that's been on my mind recently, keymaps and presets are
> python files that run whatever code is in them everytime they are used.
>
> I tried pasting this code in the middle of a keymap file:
>
> from subprocess import Popen
> Popen('touch ~/boo.test', shell=True)
>
> and sure enough the file boo.test is created. Are there any limitations, or
> checks when running these files? Because it looks like it would be easy for
> someone to hide malicious code in there (not trying to sound like RMS :) )
>
> Presets/keymaps are often shared online, and users can't be expected to
> inspect these files for evilness. Why not use json or some other data
> format?
>
> Cheers!
Hi Diego, yes, this is a real issue, we could use JSON/XML (as we do
already for themes).
Though some keymap authors define their own operators & menus, so we
wouldn't want to drop support for Python keymaps entirely.
More information about the Bf-committers
mailing list