[Bf-committers] Keymaps and presets - Security issues?

Campbell Barton ideasman42 at gmail.com
Wed Jun 10 20:12:17 CEST 2015 

On Thu, Jun 11, 2015 at 3:59 AM, Marc Dion <marcdion1974 at gmail.com> wrote:
> It's likely that as soon as one person is affected by malicious code,
> everybody is going to hear about it rather quickly.  News spreads fast
> around here.
>
> People usually have to build up trust for some time before code or .blends
> they've put together start to become of interest to others.
>
> If I'm not mistaken, *User Preferences->File->Auto Execution: Auto Run
> Python Scripts* can be disabled for people who are concerned about this.

Yes, and this is default off so opening Blends from un-trusted sources
wont execute code by default.

> Perhaps someone will take the initiative to build a utility that can scan
> Blender related material for suspicious code, (something that can detect
> file deletion commands would be a solid start for this ;)

Such tools have near zero use, you can scan for 'os.remove', but then
someone can just workaround with
'getattr(__import__("".join(reversed(list("so")))),
"".join(reversed(list("evomer"))))'

> Render farm maintainers might appreciate something like this since who
> knows what people are going to send over to their machines.

Containers apparently have very low overhead these days and provide
good sand-boxing mechanisms.

> On Wed, Jun 10, 2015 at 10:26 AM, Sergey Sharybin <sergey.vfx at gmail.com>
> wrote:
>
>> I'm not really sure why switching to any other format of storing keymaps
>> will help in any way, apart form introducing inconvenience to the folks who
>> keeps customization operators in the keymap (well, granted it's not best
>> approach in the world but that's how maya/3ds keymaps worked in blender for
>> quite some time).
>>
>> The thing is, even if the keymapare safe, you're still having risk when
>> installing someone's addon or even opening the .blend file.
>>
>> So my question is: shall we really worry about this?
>>
>> On Wed, Jun 10, 2015 at 7:08 PM, Brecht Van Lommel <
>> brechtvanlommel at pandora.be> wrote:
>>
>> > Even with JSON or XML you could create a malicious keymap. For example
>> > you could use an operator to type any text into the text editor and
>> > execute it, and assign that to a commonly used key shortcut. It just
>> > requires a bit more creativity.
>> >
>> > On Wed, Jun 10, 2015 at 5:15 PM, Diego Gangl <dnicolas at gmail.com> wrote:
>> > >> Though some keymap authors define their own operators & menus, so we
>> > >> wouldn't want to drop support for Python keymaps entirely.
>> > >
>> > > Wouldn't this be more in the addon territory? I'm sure those keymap
>> > authors
>> > > could write an addon as well.
>> > >
>> > >
>> > >
>> > >
>> > > 2015-06-10 1:33 GMT-03:00 Campbell Barton <ideasman42 at gmail.com>:
>> > >
>> > >> On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <dnicolas at gmail.com>
>> > wrote:
>> > >> > Hi guys,
>> > >> >
>> > >> > There's something that's been on my mind recently, keymaps and
>> presets
>> > >> are
>> > >> > python files that run whatever code is in them everytime they are
>> > used.
>> > >> >
>> > >> > I tried pasting this code in the middle of a keymap file:
>> > >> >
>> > >> >      from subprocess import Popen
>> > >> >      Popen('touch ~/boo.test', shell=True)
>> > >> >
>> > >> > and sure enough the file boo.test is created. Are there any
>> > limitations,
>> > >> or
>> > >> > checks when running these files? Because it looks like it would be
>> > easy
>> > >> for
>> > >> > someone to hide  malicious code in there (not trying to sound like
>> RMS
>> > >> :) )
>> > >> >
>> > >> > Presets/keymaps are often shared online, and users can't be expected
>> > to
>> > >> > inspect these files for evilness. Why not use json or some other
>> data
>> > >> > format?
>> > >> >
>> > >> > Cheers!
>> > >>
>> > >> Hi Diego, yes, this is a real issue, we could use JSON/XML (as we do
>> > >> already for themes).
>> > >>
>> > >> Though some keymap authors define their own operators & menus, so we
>> > >> wouldn't want to drop support for Python keymaps entirely.
>> > >> _______________________________________________
>> > >> Bf-committers mailing list
>> > >> Bf-committers at blender.org
>> > >> http://lists.blender.org/mailman/listinfo/bf-committers
>> > >>
>> > > _______________________________________________
>> > > Bf-committers mailing list
>> > > Bf-committers at blender.org
>> > > http://lists.blender.org/mailman/listinfo/bf-committers
>> > _______________________________________________
>> > Bf-committers mailing list
>> > Bf-committers at blender.org
>> > http://lists.blender.org/mailman/listinfo/bf-committers
>> >
>>
>>
>>
>> --
>> With best regards, Sergey Sharybin
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
>>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers



-- 
- Campbell

More information about the Bf-committers mailing list