[Bf-committers] Keymaps and presets - Security issues?
Diego Gangl
dnicolas at gmail.com
Wed Jun 10 17:15:02 CEST 2015
> Though some keymap authors define their own operators & menus, so we
> wouldn't want to drop support for Python keymaps entirely.
Wouldn't this be more in the addon territory? I'm sure those keymap authors
could write an addon as well.
2015-06-10 1:33 GMT-03:00 Campbell Barton <ideasman42 at gmail.com>:
> On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <dnicolas at gmail.com> wrote:
> > Hi guys,
> >
> > There's something that's been on my mind recently, keymaps and presets
> are
> > python files that run whatever code is in them everytime they are used.
> >
> > I tried pasting this code in the middle of a keymap file:
> >
> > from subprocess import Popen
> > Popen('touch ~/boo.test', shell=True)
> >
> > and sure enough the file boo.test is created. Are there any limitations,
> or
> > checks when running these files? Because it looks like it would be easy
> for
> > someone to hide malicious code in there (not trying to sound like RMS
> :) )
> >
> > Presets/keymaps are often shared online, and users can't be expected to
> > inspect these files for evilness. Why not use json or some other data
> > format?
> >
> > Cheers!
>
> Hi Diego, yes, this is a real issue, we could use JSON/XML (as we do
> already for themes).
>
> Though some keymap authors define their own operators & menus, so we
> wouldn't want to drop support for Python keymaps entirely.
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>
More information about the Bf-committers
mailing list