On 05/27/2014 03:08 PM, Marc A. Pelletier wrote:
The problem with either is that, short of installing a
very
complicated and brittle full URL parser in the SVG validation code,
you open the door to a number of very nearly insurmountable (and
highly catastrophic) security issues, the most important of which is
that you then allow anyone able to upload an image the capability to
force either the client or (worse) the image scalers to perform an
arbitrary GET on the projects -- including such things as API calls
simply by viewing or processing an image.
First, I think this is avoidable, if we limit it to
upload.wikimedia.org
and
bits.wikimedia.org (see below).
But hypothetically, say the API is accessible on one of those hosts.
Can't this be addressed with a simple wall clock timeout? If it takes
more than X seconds to fetch the Wikimedia HTTP(S) resource, fail the
thumbnail generation.
With regard to other issues (e.g. API calls *doing* something), correct
me if I'm wrong, but I don't see a security issue. Our API is designed
such that it's impossible to either login or take any write action using
a GET request. (If there were a bug in this, it would other serious
ramifications, and would need to be fixed in the API proper).
Even stringent validation is brittle and opens a
number of hard to
track security vulnerabilities.
It's true that blacklists are doomed, and that complex whitelists are
hard to read and maintain. But a whitelist that e.g. allowed only
//upload.wikimedia.org/ and //bits.wikimedia.org/ may not be problematic.
Matt Flaschen