[Bf-committers] Keymaps and presets - Security issues?
Campbell Barton
ideasman42 at gmail.com
Thu Jun 11 19:02:14 CEST 2015
On Fri, Jun 12, 2015 at 12:58 AM, Diego Gangl <dnicolas at gmail.com> wrote:
>> Even with JSON or XML you could create a malicious keymap. For example
>> you could use an operator to type any text into the text editor and
>> execute it, and assign that to a commonly used key shortcut. It just
>> requires a bit more creativity.
>
> There isn't an operator that will do all these steps (make a new text,
> insert some text, run script). It would have to be added in a different way
> before putting it in the keymap.
Key-maps can define macros too.
>> I'm not really sure why switching to any other format of storing keymaps
>> will help in any way
>
> Data formats are parsed, not executed.
>
>
>> The thing is, even if the keymapare safe, you're still having risk when
>> installing someone's addon or even opening the .blend file.
>
> Like Marc said, there's the Auto-run option for blend files.
> Users know they are running something when they install an addon, and
> there's usually more eyes on the source (mostly from people trying to
> figure out stuff).
More information about the Bf-committers
mailing list