[Clipart] Malware in clipart

Jon Phillips jon at rejon.org
Mon Mar 14 02:30:40 PST 2005 

On Sun, 2005-03-13 at 15:49 -0500, Andrew Archibald wrote:
> Hi,
> 
> SVG can contain scripts, particularly JavaScript but also Java and 
> possibly other languages; it can also contain references to external 
> objects. When run from the local filesystem, such objects are probably 
> going to be run in a trusted fashion.  So malware in an SVG file could 
> attack a user's computer.
> 
> Does OpenClipart take any precautions to ensure that it does not include 
> malware in its collection?

At the moment we do not take any precautions against malware in the SVG
files. This is an interesting thing you are posting, as it increases the
priority in my mind for the need for such a tool. We have discussed
making a tool to shrink SVG files to their most basic components as a
standard. We are interested in CLIP ART, and hence we would not need any
javascript in our files.

So, I think we should strip out any javascript in submissions. First
though, we need to think up how/where malware could be placed into our
submissions? Maybe we shouldn't even allow for external links in SVG
files we accept? We need to have a discussion about this.

> I know perfectly well that none of the usual applications that will be 
> used with OpenClipart currently support scripting. But there are 
> applications that do, and it's a problem if a user gets bitten by 
> running one of them on an openclipart image; it's a much worse problem 
> if a user gets bitten by using one to look at a document containing an 
> openclipart image. (Consider the following: I make an SVG company logo 
> that includes a piece of openclipart. Someone looks at my company logo 
> and it wipes their hard drive.)

Yeah, that is really bad. We need to come up with scenarios how this
could happen. Obviously, HTML and any file uploaded to a server could
contain malware, however we need to take precautions about files we are
putting into our packages that go on people's computers.

> There are also possibly security concerns with rendering on the server; 
> does inkscape follow external references? if so, this poses security 
> problems, from revealing private images to including goatse in images.

Hmmm..not sure....but maybe others can speak to this.

> My reason for asking this question is this: Wikipedia refuses to store 
> SVG files for fear that one will contain some malware.  I'm trying to 
> change their minds, but it appears that an SVG sanitizer would be 
> necessary. So I'm looking to find how you deal with the problem.

Thanks Andrew for your post. I think we should look into this. Would you
be interested in helping us develop a tool to check and strip possible
malware from submissions?


-- 
Jon Phillips

USA PH 510.499.0894
jon at rejon.org
http://www.rejon.org

Inkscape (http://inkscape.org)
Open Clip Art Library (www.openclipart.org)
CVS Book (http://cvsbook.ucsd.edu)
Scale Journal (http://scale.ucsd.edu)

More information about the clipart mailing list