From the discussion in Poll: updating the default grey themes it appears that there is a desire to have some kind of repository for darktable themes and CSS snippets for user.css.
For the moment it’s very basic, but it’s possible to upload and download themes and CSS snippets. If you want to upload a new theme or snippet, go ahead, create an account and submit your contribution.
Temporarily it’s hosted on my website, but I am more than happy to transfer ownership to the DT team and/or move it to DT’s hosting if the devs so desire.
In the meantime, please go ahead and upload your content if you would like to share your tweaks. Be aware that at the moment it’s more or less a proof of concept and there is no guarantee that the service will stay up or that the db will not have to be reset at some point.
Dream bigger! On initialization the lua script could theoretically fetch a list of themes with name and id to populate into a selectable element.
Thinking out loud, the lua script would have to access the user.css file and update it. It should probably make a backup of the existing one. Then the lua script would have to apply those changes, not sure if that’s something the lua scripts have access to.
Inspiring confidence is certainly not what it does
BTW to download into DT you wouldn’t need to rely on the code of the website. Each CSS (both themes and snippets) are stored in their own file. To download the theme into DT one would only need a small function that does a table lookup into the DB and downloads the corresponding file, and that can be reviewed easily.
We are talking about CSS that is going to be parsed by GTK+, the worst thing that can happen is that the layout of the UI is messed up. Of course, the LUA script that @Pascal_Obry is dreaming about should be reviewed to ensure that (1) it only downloads the CSS and (2) it is not destructive.
do you use SQL? are your SQL queries created with string concat? do you use any input from the user for it?
even if it is “i just store files on disk” … as long as you give the user some control over the file path … they can have a lot of fun (Hello ../../../../../../etc/passwd )
also CSS is not free of “fun”. it can be used to hide data. I wonder if you can have fun with make funny CSS that is super slow to render.
To quote lockpicking lawyer “Everyone knows what it was meant for, but ask yourself what can it be used for.”
No, the user has no control over the location of the files.
In this case we are talking about downloading a CSS file from a web server to be used for skinning an application. I am not aware of GTK+ exploits that use CSS, if you know one I am happy to learn something new.
BTW, as always, downloading content from the internet comes with some degree of risk, which in this case is pretty minimal, and the users who decide to do so should be aware of that.
Ah, that is possibly full of leaks, and it was part of my original disclaimer. It is just a proof of concept, and I am not planning to spend a lot of effort making it failproof.
What I care about is that there are no big risks for the users who download CSS from it, which is what @paperdigits was rightly expressing concerns about.
