I just uploaded [[Image:X client server example.png]]. That's a little network diagram done in Inkscape. So the native form is SVG, which is highly editable and thus makes some sense as a work to distribute under the GFDL - the SVG is the source code, the PNG is just a rendering.
But I can't upload SVG. Is there a good reason for this, or is it just that no-one thought of it?
(SVG is just XML text - I don't know of a way to include malware.)
This goes for other image formats - GIMP, Illustrator, etc. For resources under a license that allows editing, it would make sense to allow upload of the source version.
- d.
On Sat, Jan 22, 2005 at 08:07:25PM +1100, David Gerard wrote:
But I can't upload SVG. Is there a good reason for this, or is it just that no-one thought of it?
The filetypes allowable for uploads were hurriedly limited a while back because of abuse, I suspect it's just that nobody thought of SVG.
Frank v Waveren (fvw.wikipediaml@var.cx) [050123 14:45]:
On Sat, Jan 22, 2005 at 08:07:25PM +1100, David Gerard wrote:
But I can't upload SVG. Is there a good reason for this, or is it just that no-one thought of it?
The filetypes allowable for uploads were hurriedly limited a while back because of abuse, I suspect it's just that nobody thought of SVG.
Does it check what the file actually is, or just check the extension?
- d.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Gerard wrote: | Frank v Waveren (fvw.wikipediaml@var.cx) [050123 14:45]: |>The filetypes allowable for uploads were hurriedly limited a while |>back because of abuse, I suspect it's just that nobody thought of SVG. | | Does it check what the file actually is, or just check the extension?
Take a look at SpecialUpload.php some time. In summary, on upload we:
* Normalize the filename * Ensure the extension is in a whitelist * Ensure that no blacklisted extensions are present * For known image types, use the getimagesize() function to detect the file type and ensure that there is an identifiable header. ** If no type is detected for a known extension, the file is rejected. ** If the detected type does not match the given extension, the file is rejected. * Attempt to replicate Internet Explorer's HTML-detection heuristic to prevent scripting attacks using HTML+JavaScript embedded into a valid image file.
- -- brion vibber (brion @ pobox.com)
Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Gerard wrote: | Frank v Waveren (fvw.wikipediaml@var.cx) [050123 14:45]: |>The filetypes allowable for uploads were hurriedly limited a while |>back because of abuse, I suspect it's just that nobody thought of SVG. | | Does it check what the file actually is, or just check the extension?
Take a look at SpecialUpload.php some time. In summary, on upload we:
- Normalize the filename
- Ensure the extension is in a whitelist
- Ensure that no blacklisted extensions are present
- For known image types, use the getimagesize() function to detect the
file type and ensure that there is an identifiable header. ** If no type is detected for a known extension, the file is rejected. ** If the detected type does not match the given extension, the file is rejected.
- Attempt to replicate Internet Explorer's HTML-detection heuristic to
prevent scripting attacks using HTML+JavaScript embedded into a valid image file.
- -- brion vibber (brion @ pobox.com)
For SVG, and other well-formed XML documents, it should be possible to check the uploaded document for conformance to the appropriate DTD or schema. See http://www.w3.org/TR/SVG/svgdtd.html for the SVG 1.0 DTD. After a bit of searching for free software (and that means free as in both GPL and not based on Java), it looks like libxml2 supports DTD validation for versions >= 2.4.0. The xmllint tool seems to be a nice way to wrap this all up in an easy-to-call command-line tool See http://www.xmlsoft.org/xmldtd.html
However, I agree that the HTML/JavaScript detector should be used as well; double-checking is a good thing, and I'm not sure how extensible the SVG DTD is, or how lax other parsers are.
DTD-checking input also greatly increases the chances of downstream tools such as image renderers working properly when we allow SVG to be treated as yet another image type.
-- Neil.
Include SVG in Wikipedia article could be a great feature, especially if they are editable (in Wikicommons for example)
Traroth
--- David Gerard fun@thingy.apana.org.au a écrit :
I just uploaded [[Image:X client server example.png]]. That's a little network diagram done in Inkscape. So the native form is SVG, which is highly editable and thus makes some sense as a work to distribute under the GFDL - the SVG is the source code, the PNG is just a rendering.
But I can't upload SVG. Is there a good reason for this, or is it just that no-one thought of it?
(SVG is just XML text - I don't know of a way to include malware.)
This goes for other image formats - GIMP, Illustrator, etc. For resources under a license that allows editing, it would make sense to allow upload of the source version.
- d.
Wikitech-l mailing list Wikitech-l@wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
Traroth (traroth@yahoo.fr) [050125 02:48]:
Include SVG in Wikipedia article could be a great feature, especially if they are editable (in Wikicommons for example)
If we can be sure of live data issues, which are basically knowing what formats have an app using them that is SO INCREDIBLY STUPID as to look for code in its data files ... that being what a malicious uploader will craft for. A whitelist to which additions are slow, gradual and deeply researched is probably the only safe answer.
- d.
wikitech-l@lists.wikimedia.org