[Clipart] Malware in clipart

Jonadab the Unsightly One jonadab at bright.net
Mon Mar 14 06:37:00 PST 2005 

Andrew Archibald <andrew.archibald at sympatico.ca> writes:

> Hi,
>
> SVG can contain scripts, 

It can?

I didn't know that...  

<rant relevency="dubious">
  WHY, in the name of all that is sane, would an image ever need to
  contain scripts?  Yeesh, isn't anything just data anymore?  What
  were the W3C people *thinking*?  There are so many quite *useful*
  features SVG (or the existing editors for it, at any rate) does not
  support, e.g., gradients that follow or stay perpendicular to a
  spline rather than being linear or radial... why couldn't SVG
  include *those* features, instead of something dangerous?
</rant>

> Does OpenClipart take any precautions to ensure that it does not
> include malware in its collection?

Not at this time.

> I know perfectly well that none of the usual applications that will be
> used with OpenClipart currently support scripting. 

Good.  Let's hope it stays that way.  I'm a pretty imaginative guy,
but off the top of my head I can't think of any valid reason for a
clip art image to contain scripts.

> But there are applications that do, and it's a problem if a user
> gets bitten by running one of them on an openclipart image; it's a
> much worse problem if a user gets bitten by using one to look at a
> document containing an openclipart image. (Consider the following: I
> make an SVG company logo that includes a piece of
> openclipart. Someone looks at my company logo and it wipes their
> hard drive.)

It seems to me that we will not have the resources to hand-examine
every submission to ensure it is innocuous, so (barring an
earthshattering breakthrough in AI research) if we take any
precautions at all it will have to be stripping out all scripts of any
kind, malware or not.  (Which, on the whole, doesn't sound like a
terribly bad idea to me...  feel free to jump in and explain why we
shouldn't do that, if you can think of any solid reasons.)

> There are also possibly security concerns with rendering on the
> server; 

As far as I am aware, we do not do any rendering on the
freedesktop.org server.  (Those PNG thumbnails you see when browsing
the collection are generated as part of the release process, usually
on somebody's desktop.)

> does inkscape follow external references? 

That I don't know.  Bryce might.

> My reason for asking this question is this: Wikipedia refuses to
> store SVG files for fear that one will contain some malware.  I'm
> trying to change their minds, but it appears that an SVG sanitizer
> would be necessary. So I'm looking to find how you deal with the
> problem.

I would not be opposed to automated sanitizing, e.g., stripping out
all scripts, though I think it should be done as part of the release
process, not at upload time.  (So, the files in incoming would not be
sanitized, but uploading would be quicker for contributors, and the
actual releases would be sanitized.)  Does that make sense to everyone
else?

Of course, we would need a sanitizer tool...  my SVG foo is not good
enough at this time to write one of those, at least, not with any
degree of confidence.

-- 
$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}}
split//,"ten.thgirb\@badanoj$/ --";$\=$ ;-> ();print$/

More information about the clipart mailing list