On 05/27/2014 09:09 PM, Marc A. Pelletier wrote:
On 05/27/2014 09:05 PM, C. Scott Ananian wrote:
I agree that a simple whitelist might be
workable, but it does depend
on a bit of code auditing of librsvg to ensure that it can be done
robustly.
That works to protect the image scalers, if correct, but it does nothing
to protect the clients, would it?
If the SVG is blocked at upload time, other users will not be able to
download it, so that would address anything that can be statically
checked (e.g. URLs).
If you're referring to the long-running GET issue, we would have to see
how browsers handle things (i.e. whether it just keeps loading, times it
out, hangs the browser preventing you from closing the tab, etc.).
Matt Flaschen