I've turned SVG upload and rendering back off for now.
rsvg/librsvg doesn't seem to provide any ability to shut off inclusions of image files from the filesystem, nor does the current filter prevent such uploads. This could be abused at a minimum to read an image with a known filename from the restricted internal wiki, given knowledge of the filesystem layout on the server (which is easy to get given our open documentation).
-- brion vibber (brion @ pobox.com)