On 05/27/2014 03:08 PM, Marc A. Pelletier wrote:
The problem with either is that, short of installing a very complicated and brittle full URL parser in the SVG validation code, you open the door to a number of very nearly insurmountable (and highly catastrophic) security issues, the most important of which is that you then allow anyone able to upload an image the capability to force either the client or (worse) the image scalers to perform an arbitrary GET on the projects -- including such things as API calls simply by viewing or processing an image.
First, I think this is avoidable, if we limit it to upload.wikimedia.org and bits.wikimedia.org (see below).
But hypothetically, say the API is accessible on one of those hosts. Can't this be addressed with a simple wall clock timeout? If it takes more than X seconds to fetch the Wikimedia HTTP(S) resource, fail the thumbnail generation.
With regard to other issues (e.g. API calls *doing* something), correct me if I'm wrong, but I don't see a security issue. Our API is designed such that it's impossible to either login or take any write action using a GET request. (If there were a bug in this, it would other serious ramifications, and would need to be fixed in the API proper).
Even stringent validation is brittle and opens a number of hard to track security vulnerabilities.
It's true that blacklists are doomed, and that complex whitelists are hard to read and maintain. But a whitelist that e.g. allowed only //upload.wikimedia.org/ and //bits.wikimedia.org/ may not be problematic.
Matt Flaschen