Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Gerard wrote:
| Frank v Waveren (fvw.wikipediaml(a)var.cx) [050123 14:45]:
|>The filetypes allowable for uploads were hurriedly limited a while
|>back because of abuse, I suspect it's just that nobody thought of SVG.
|
| Does it check what the file actually is, or just check the extension?
Take a look at SpecialUpload.php some time. In summary, on upload we:
* Normalize the filename
* Ensure the extension is in a whitelist
* Ensure that no blacklisted extensions are present
* For known image types, use the getimagesize() function to detect the
file type and ensure that there is an identifiable header.
** If no type is detected for a known extension, the file is rejected.
** If the detected type does not match the given extension, the file is
rejected.
* Attempt to replicate Internet Explorer's HTML-detection heuristic to
prevent scripting attacks using HTML+JavaScript embedded into a valid
image file.
- -- brion vibber (brion @
pobox.com)
For SVG, and other well-formed XML documents, it should be possible to
check the uploaded document for conformance to the appropriate DTD or
schema. See
http://www.w3.org/TR/SVG/svgdtd.html for the SVG 1.0 DTD.
After a bit of searching for free software (and that means free as in
both GPL and not based on Java), it looks like libxml2 supports DTD
validation for versions >= 2.4.0. The xmllint tool seems to be a nice
way to wrap this all up in an easy-to-call command-line tool See
http://www.xmlsoft.org/xmldtd.html
However, I agree that the HTML/JavaScript detector should be used as
well; double-checking is a good thing, and I'm not sure how extensible
the SVG DTD is, or how lax other parsers are.
DTD-checking input also greatly increases the chances of downstream
tools such as image renderers working properly when we allow SVG to be
treated as yet another image type.
-- Neil.