On 05/27/2014 09:09 PM, Marc A. Pelletier wrote:
On 05/27/2014 09:05 PM, C. Scott Ananian wrote:
I agree that a simple whitelist might be workable, but it does depend on a bit of code auditing of librsvg to ensure that it can be done robustly.
That works to protect the image scalers, if correct, but it does nothing to protect the clients, would it?
If the SVG is blocked at upload time, other users will not be able to download it, so that would address anything that can be statically checked (e.g. URLs).
If you're referring to the long-running GET issue, we would have to see how browsers handle things (i.e. whether it just keeps loading, times it out, hangs the browser preventing you from closing the tab, etc.).
Matt Flaschen