On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <[email protected]> wrote: > Hi guys, > > There's something that's been on my mind recently, keymaps and presets are > python files that run whatever code is in them everytime they are used. > > I tried pasting this code in the middle of a keymap file: > > from subprocess import Popen > Popen('touch ~/boo.test', shell=True) > > and sure enough the file boo.test is created. Are there any limitations, or > checks when running these files? Because it looks like it would be easy for > someone to hide malicious code in there (not trying to sound like RMS :) ) > > Presets/keymaps are often shared online, and users can't be expected to > inspect these files for evilness. Why not use json or some other data > format? > > Cheers!
Hi Diego, yes, this is a real issue, we could use JSON/XML (as we do already for themes). Though some keymap authors define their own operators & menus, so we wouldn't want to drop support for Python keymaps entirely. _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers
