Today at 4:57am, Geir Torstein Kristiansen mumbled:
> I *really* don't like the way blackbox runs arbitrary shell commands in
> themes.
>
> There should be a standard way to set backgrounds that doesn't involve
> the shell commands.
>
> Exploit:
>
> Malicous themes could contain nasty commands like: rootCommand: rm -rf
> $HOME and the like.
>
> Imagine if blackbox is run as root, and you have a theme that contains
> stuff like rootCommand: echo
> "root:crypt-password:0:0:root:/root:/bin/bash" >>/etc/passwd; bsetroot
> <normal stuff>
>
> And they wouldn't know what hit'em because everything will appear
> normal, and the bg will be set.
>
> Note that I haven't bothered to test these.
I Agree.
maybe we could use a tool like bsetbg for this. A quick proposal
replacement for rootCommand:
root.decoration: mod, image <style> <..> <filename>, or a
gradient texture description
root.color: color (used for mod and gradient)
root.colorTo: color
Blackbox then calls a script like bsetbg, to set the background in the
desired way.
So
root.decoration: flat gradient diagonal interlaced
root.color: slategray
root.colorTo: darkslategray
causes the script to call bsetroot with appropriate args.
And
root.decoration: image fit snoopy.jpg
causes the script to run eg "xv -root -quit -max snoopy.jpg" The script
could check for different apps like xv, display, xpmroot, Esetroot etc.
root.decoration: image tile silery.xpm
calls eg xv -root -quit silery.xpm. And
root.decoration: image center president.png
root.color: black
calls eg xv -root -rmode 5 -bg black -quit president.png
When the image filename is relative, the script should look in
~/.blackbox/backgrounds and then in @pkgdatadir@/backgrounds.
This way you can install styles system-wide without bothering to change
the style files.
Wilbert.
