Brion Vibber wrote:
I've turned SVG upload and rendering back off for
now.
rsvg/librsvg doesn't seem to provide any ability to shut off inclusions
of image files from the filesystem, nor does the current filter prevent
such uploads. This could be abused at a minimum to read an image with a
known filename from the restricted internal wiki, given knowledge of the
filesystem layout on the server (which is easy to get given our open
documentation).
I've hacked in an embargo on external file references in librsvg, so
it's back on. Whee!
-- brion vibber (brion @
pobox.com)