[Bf-committers] Keymaps and presets - Security issues?

Marc Dion marcdion1974 at gmail.com
Wed Jun 10 19:59:55 CEST 2015 

It's likely that as soon as one person is affected by malicious code,
everybody is going to hear about it rather quickly.  News spreads fast
around here.

People usually have to build up trust for some time before code or .blends
they've put together start to become of interest to others.

If I'm not mistaken, *User Preferences->File->Auto Execution: Auto Run
Python Scripts* can be disabled for people who are concerned about this.

Perhaps someone will take the initiative to build a utility that can scan
Blender related material for suspicious code, (something that can detect
file deletion commands would be a solid start for this ;)

Render farm maintainers might appreciate something like this since who
knows what people are going to send over to their machines.

On Wed, Jun 10, 2015 at 10:26 AM, Sergey Sharybin <sergey.vfx at gmail.com>
wrote:

> I'm not really sure why switching to any other format of storing keymaps
> will help in any way, apart form introducing inconvenience to the folks who
> keeps customization operators in the keymap (well, granted it's not best
> approach in the world but that's how maya/3ds keymaps worked in blender for
> quite some time).
>
> The thing is, even if the keymapare safe, you're still having risk when
> installing someone's addon or even opening the .blend file.
>
> So my question is: shall we really worry about this?
>
> On Wed, Jun 10, 2015 at 7:08 PM, Brecht Van Lommel <
> brechtvanlommel at pandora.be> wrote:
>
> > Even with JSON or XML you could create a malicious keymap. For example
> > you could use an operator to type any text into the text editor and
> > execute it, and assign that to a commonly used key shortcut. It just
> > requires a bit more creativity.
> >
> > On Wed, Jun 10, 2015 at 5:15 PM, Diego Gangl <dnicolas at gmail.com> wrote:
> > >> Though some keymap authors define their own operators & menus, so we
> > >> wouldn't want to drop support for Python keymaps entirely.
> > >
> > > Wouldn't this be more in the addon territory? I'm sure those keymap
> > authors
> > > could write an addon as well.
> > >
> > >
> > >
> > >
> > > 2015-06-10 1:33 GMT-03:00 Campbell Barton <ideasman42 at gmail.com>:
> > >
> > >> On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <dnicolas at gmail.com>
> > wrote:
> > >> > Hi guys,
> > >> >
> > >> > There's something that's been on my mind recently, keymaps and
> presets
> > >> are
> > >> > python files that run whatever code is in them everytime they are
> > used.
> > >> >
> > >> > I tried pasting this code in the middle of a keymap file:
> > >> >
> > >> >      from subprocess import Popen
> > >> >      Popen('touch ~/boo.test', shell=True)
> > >> >
> > >> > and sure enough the file boo.test is created. Are there any
> > limitations,
> > >> or
> > >> > checks when running these files? Because it looks like it would be
> > easy
> > >> for
> > >> > someone to hide  malicious code in there (not trying to sound like
> RMS
> > >> :) )
> > >> >
> > >> > Presets/keymaps are often shared online, and users can't be expected
> > to
> > >> > inspect these files for evilness. Why not use json or some other
> data
> > >> > format?
> > >> >
> > >> > Cheers!
> > >>
> > >> Hi Diego, yes, this is a real issue, we could use JSON/XML (as we do
> > >> already for themes).
> > >>
> > >> Though some keymap authors define their own operators & menus, so we
> > >> wouldn't want to drop support for Python keymaps entirely.
> > >> _______________________________________________
> > >> Bf-committers mailing list
> > >> Bf-committers at blender.org
> > >> http://lists.blender.org/mailman/listinfo/bf-committers
> > >>
> > > _______________________________________________
> > > Bf-committers mailing list
> > > Bf-committers at blender.org
> > > http://lists.blender.org/mailman/listinfo/bf-committers
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> >
>
>
>
> --
> With best regards, Sergey Sharybin
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>

More information about the Bf-committers mailing list