[Bf-committers] Keymaps and presets - Security issues?

Brecht Van Lommel brechtvanlommel at pandora.be
Wed Jun 10 19:08:33 CEST 2015


Even with JSON or XML you could create a malicious keymap. For example
you could use an operator to type any text into the text editor and
execute it, and assign that to a commonly used key shortcut. It just
requires a bit more creativity.

On Wed, Jun 10, 2015 at 5:15 PM, Diego Gangl <dnicolas at gmail.com> wrote:
>> Though some keymap authors define their own operators & menus, so we
>> wouldn't want to drop support for Python keymaps entirely.
>
> Wouldn't this be more in the addon territory? I'm sure those keymap authors
> could write an addon as well.
>
>
>
>
> 2015-06-10 1:33 GMT-03:00 Campbell Barton <ideasman42 at gmail.com>:
>
>> On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <dnicolas at gmail.com> wrote:
>> > Hi guys,
>> >
>> > There's something that's been on my mind recently, keymaps and presets
>> are
>> > python files that run whatever code is in them everytime they are used.
>> >
>> > I tried pasting this code in the middle of a keymap file:
>> >
>> >      from subprocess import Popen
>> >      Popen('touch ~/boo.test', shell=True)
>> >
>> > and sure enough the file boo.test is created. Are there any limitations,
>> or
>> > checks when running these files? Because it looks like it would be easy
>> for
>> > someone to hide  malicious code in there (not trying to sound like RMS
>> :) )
>> >
>> > Presets/keymaps are often shared online, and users can't be expected to
>> > inspect these files for evilness. Why not use json or some other data
>> > format?
>> >
>> > Cheers!
>>
>> Hi Diego, yes, this is a real issue, we could use JSON/XML (as we do
>> already for themes).
>>
>> Though some keymap authors define their own operators & menus, so we
>> wouldn't want to drop support for Python keymaps entirely.
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
>>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers


More information about the Bf-committers mailing list