Even with JSON or XML you could create a malicious keymap. For example you could use an operator to type any text into the text editor and execute it, and assign that to a commonly used key shortcut. It just requires a bit more creativity.
On Wed, Jun 10, 2015 at 5:15 PM, Diego Gangl <[email protected]> wrote: >> Though some keymap authors define their own operators & menus, so we >> wouldn't want to drop support for Python keymaps entirely. > > Wouldn't this be more in the addon territory? I'm sure those keymap authors > could write an addon as well. > > > > > 2015-06-10 1:33 GMT-03:00 Campbell Barton <[email protected]>: > >> On Wed, Jun 10, 2015 at 9:59 AM, Diego Gangl <[email protected]> wrote: >> > Hi guys, >> > >> > There's something that's been on my mind recently, keymaps and presets >> are >> > python files that run whatever code is in them everytime they are used. >> > >> > I tried pasting this code in the middle of a keymap file: >> > >> > from subprocess import Popen >> > Popen('touch ~/boo.test', shell=True) >> > >> > and sure enough the file boo.test is created. Are there any limitations, >> or >> > checks when running these files? Because it looks like it would be easy >> for >> > someone to hide malicious code in there (not trying to sound like RMS >> :) ) >> > >> > Presets/keymaps are often shared online, and users can't be expected to >> > inspect these files for evilness. Why not use json or some other data >> > format? >> > >> > Cheers! >> >> Hi Diego, yes, this is a real issue, we could use JSON/XML (as we do >> already for themes). >> >> Though some keymap authors define their own operators & menus, so we >> wouldn't want to drop support for Python keymaps entirely. >> _______________________________________________ >> Bf-committers mailing list >> [email protected] >> http://lists.blender.org/mailman/listinfo/bf-committers >> > _______________________________________________ > Bf-committers mailing list > [email protected] > http://lists.blender.org/mailman/listinfo/bf-committers _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers
