Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Gerard wrote: | Frank v Waveren (fvw.wikipediaml@var.cx) [050123 14:45]: |>The filetypes allowable for uploads were hurriedly limited a while |>back because of abuse, I suspect it's just that nobody thought of SVG. | | Does it check what the file actually is, or just check the extension?
Take a look at SpecialUpload.php some time. In summary, on upload we:
- Normalize the filename
- Ensure the extension is in a whitelist
- Ensure that no blacklisted extensions are present
- For known image types, use the getimagesize() function to detect the
file type and ensure that there is an identifiable header. ** If no type is detected for a known extension, the file is rejected. ** If the detected type does not match the given extension, the file is rejected.
- Attempt to replicate Internet Explorer's HTML-detection heuristic to
prevent scripting attacks using HTML+JavaScript embedded into a valid image file.
- -- brion vibber (brion @ pobox.com)
For SVG, and other well-formed XML documents, it should be possible to check the uploaded document for conformance to the appropriate DTD or schema. See http://www.w3.org/TR/SVG/svgdtd.html for the SVG 1.0 DTD. After a bit of searching for free software (and that means free as in both GPL and not based on Java), it looks like libxml2 supports DTD validation for versions >= 2.4.0. The xmllint tool seems to be a nice way to wrap this all up in an easy-to-call command-line tool See http://www.xmlsoft.org/xmldtd.html
However, I agree that the HTML/JavaScript detector should be used as well; double-checking is a good thing, and I'm not sure how extensible the SVG DTD is, or how lax other parsers are.
DTD-checking input also greatly increases the chances of downstream tools such as image renderers working properly when we allow SVG to be treated as yet another image type.
-- Neil.