[Bf-committers] Keymaps and presets - Security issues?

Diego Gangl dnicolas at gmail.com
Thu Jun 11 16:58:25 CEST 2015 

> Even with JSON or XML you could create a malicious keymap. For example
> you could use an operator to type any text into the text editor and
> execute it, and assign that to a commonly used key shortcut. It just
> requires a bit more creativity.

There isn't an operator that will do all these steps (make a new text,
insert some text, run script). It would have to be added in a different way
before putting it in the keymap.


> I'm not really sure why switching to any other format of storing keymaps
> will help in any way

Data formats are parsed, not executed.


> The thing is, even if the keymapare safe, you're still having risk when
> installing someone's addon or even opening the .blend file.

Like Marc said, there's the Auto-run option for blend files.
Users know they are running something when they install an addon, and
there's usually more eyes on the source (mostly from people trying to
figure out stuff).


2015-06-10 15:12 GMT-03:00 Campbell Barton <ideasman42 at gmail.com>:

> On Thu, Jun 11, 2015 at 3:59 AM, Marc Dion <marcdion1974 at gmail.com> wrote:
> > It's likely that as soon as one person is affected by malicious code,
> > everybody is going to hear about it rather quickly.  News spreads fast
> > around here.
> >
> > People usually have to build up trust for some time before code or
> .blends
> > they've put together start to become of interest to others.
> >
> > If I'm not mistaken, *User Preferences->File->Auto Execution: Auto Run
> > Python Scripts* can be disabled for people who are concerned about this.
>
> Yes, and this is default off so opening Blends from un-trusted sources
> wont execute code by default.
>
> > Perhaps someone will take the initiative to build a utility that can scan
> > Blender related material for suspicious code, (something that can detect
> > file deletion commands would be a solid start for this ;)
>
> Such tools have near zero use, you can scan for 'os.remove', but then
> someone can just workaround with
> 'getattr(__import__("".join(reversed(list("so")))),
> "".join(reversed(list("evomer"))))'
>
> > Render farm maintainers might appreciate something like this since who
> > knows what people are going to send over to their machines.
>
> Containers apparently have very low overhead these days and provide
> good sand-boxing mechanisms.
>
> > On Wed, Jun 10, 2015 at 10:26 AM, Sergey Sharybin <sergey.vfx at gmail.com>
> > wrote:
> >
> >> I'm not really sure why switching to any other format of storing keymaps
> >> will help in any way, apart form introducing inconvenience to the folks
> who
> >> keeps customization operators in the keymap (well, granted it's not best
> >> approach in the world but that's how maya/3ds keymaps worked in blender
> for
> >> quite some time).
> >>
> >> The thing is, even if the keymapare safe, you're still having risk when
> >> installing someone's addon or even opening the .blend file.
> >>
> >> So my question is: shall we really worry about this?
> >>
> >> On Wed, Jun 10, 2015 at 7:08 PM, Brecht Van Lommel <
> >> brechtvanlommel at pandora.be> wrote:
> >>
> >> > Even with JSON or XML you could create a malicious keymap. For example
> >> > you could use an operator to type any text into the text editor and
> >> > execute it, and assign that to a commonly used key shortcut. It just
> >> > requires a bit more creativity.
> >> >
> >> > On Wed, Jun 10, 2015 at 5:15 PM, Diego Gangl <dnicolas at gmail.com>
> wrote:
> >> > >> Though some keymap authors define their own operators & menus, so
> we
> >> > >> wouldn't want to drop support for Python keymaps entirely.
> >> > >
> >> > > Wouldn't this be more in the addon territory? I'm sure those keymap
> >> > authors
> >> > > could write an addon as well.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > 2015-06-10 1:33 GMT-03:00 Campbell Barton <ideasman42 at gmail.com>:
> >> > >
> >> > >> On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <dnicolas at gmail.com>
> >> > wrote:
> >> > >> > Hi guys,
> >> > >> >
> >> > >> > There's something that's been on my mind recently, keymaps and
> >> presets
> >> > >> are
> >> > >> > python files that run whatever code is in them everytime they are
> >> > used.
> >> > >> >
> >> > >> > I tried pasting this code in the middle of a keymap file:
> >> > >> >
> >> > >> >      from subprocess import Popen
> >> > >> >      Popen('touch ~/boo.test', shell=True)
> >> > >> >
> >> > >> > and sure enough the file boo.test is created. Are there any
> >> > limitations,
> >> > >> or
> >> > >> > checks when running these files? Because it looks like it would
> be
> >> > easy
> >> > >> for
> >> > >> > someone to hide  malicious code in there (not trying to sound
> like
> >> RMS
> >> > >> :) )
> >> > >> >
> >> > >> > Presets/keymaps are often shared online, and users can't be
> expected
> >> > to
> >> > >> > inspect these files for evilness. Why not use json or some other
> >> data
> >> > >> > format?
> >> > >> >
> >> > >> > Cheers!
> >> > >>
> >> > >> Hi Diego, yes, this is a real issue, we could use JSON/XML (as we
> do
> >> > >> already for themes).
> >> > >>
> >> > >> Though some keymap authors define their own operators & menus, so
> we
> >> > >> wouldn't want to drop support for Python keymaps entirely.
> >> > >> _______________________________________________
> >> > >> Bf-committers mailing list
> >> > >> Bf-committers at blender.org
> >> > >> http://lists.blender.org/mailman/listinfo/bf-committers
> >> > >>
> >> > > _______________________________________________
> >> > > Bf-committers mailing list
> >> > > Bf-committers at blender.org
> >> > > http://lists.blender.org/mailman/listinfo/bf-committers
> >> > _______________________________________________
> >> > Bf-committers mailing list
> >> > Bf-committers at blender.org
> >> > http://lists.blender.org/mailman/listinfo/bf-committers
> >> >
> >>
> >>
> >>
> >> --
> >> With best regards, Sergey Sharybin
> >> _______________________________________________
> >> Bf-committers mailing list
> >> Bf-committers at blender.org
> >> http://lists.blender.org/mailman/listinfo/bf-committers
> >>
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
>
>
>
> --
> - Campbell
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>

More information about the Bf-committers mailing list