[Bf-committers] Keymaps and presets - Security issues?
Sergey Sharybin
sergey.vfx at gmail.com
Wed Jun 10 19:26:24 CEST 2015
I'm not really sure why switching to any other format of storing keymaps
will help in any way, apart form introducing inconvenience to the folks who
keeps customization operators in the keymap (well, granted it's not best
approach in the world but that's how maya/3ds keymaps worked in blender for
quite some time).
The thing is, even if the keymapare safe, you're still having risk when
installing someone's addon or even opening the .blend file.
So my question is: shall we really worry about this?
On Wed, Jun 10, 2015 at 7:08 PM, Brecht Van Lommel <
brechtvanlommel at pandora.be> wrote:
> Even with JSON or XML you could create a malicious keymap. For example
> you could use an operator to type any text into the text editor and
> execute it, and assign that to a commonly used key shortcut. It just
> requires a bit more creativity.
>
> On Wed, Jun 10, 2015 at 5:15 PM, Diego Gangl <dnicolas at gmail.com> wrote:
> >> Though some keymap authors define their own operators & menus, so we
> >> wouldn't want to drop support for Python keymaps entirely.
> >
> > Wouldn't this be more in the addon territory? I'm sure those keymap
> authors
> > could write an addon as well.
> >
> >
> >
> >
> > 2015-06-10 1:33 GMT-03:00 Campbell Barton <ideasman42 at gmail.com>:
> >
> >> On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <dnicolas at gmail.com>
> wrote:
> >> > Hi guys,
> >> >
> >> > There's something that's been on my mind recently, keymaps and presets
> >> are
> >> > python files that run whatever code is in them everytime they are
> used.
> >> >
> >> > I tried pasting this code in the middle of a keymap file:
> >> >
> >> > from subprocess import Popen
> >> > Popen('touch ~/boo.test', shell=True)
> >> >
> >> > and sure enough the file boo.test is created. Are there any
> limitations,
> >> or
> >> > checks when running these files? Because it looks like it would be
> easy
> >> for
> >> > someone to hide malicious code in there (not trying to sound like RMS
> >> :) )
> >> >
> >> > Presets/keymaps are often shared online, and users can't be expected
> to
> >> > inspect these files for evilness. Why not use json or some other data
> >> > format?
> >> >
> >> > Cheers!
> >>
> >> Hi Diego, yes, this is a real issue, we could use JSON/XML (as we do
> >> already for themes).
> >>
> >> Though some keymap authors define their own operators & menus, so we
> >> wouldn't want to drop support for Python keymaps entirely.
> >> _______________________________________________
> >> Bf-committers mailing list
> >> Bf-committers at blender.org
> >> http://lists.blender.org/mailman/listinfo/bf-committers
> >>
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>
--
With best regards, Sergey Sharybin
More information about the Bf-committers
mailing list