Brion Vibber wrote:
I've turned SVG upload and rendering back off for now.
rsvg/librsvg doesn't seem to provide any ability to shut off inclusions of image files from the filesystem, nor does the current filter prevent such uploads. This could be abused at a minimum to read an image with a known filename from the restricted internal wiki, given knowledge of the filesystem layout on the server (which is easy to get given our open documentation).
I've hacked in an embargo on external file references in librsvg, so it's back on. Whee!
-- brion vibber (brion @ pobox.com)