[Clipart] Malware in clipart

Nicu Buculei nicu at apsro.com
Mon Mar 14 06:49:12 PST 2005 

Jonadab the Unsightly One wrote:
> Andrew Archibald <andrew.archibald at sympatico.ca> writes:
> 
> 
>>Hi,
>>
>>SVG can contain scripts, 
> 
> 
> It can?
> 
> I didn't know that...  
> 
> <rant relevency="dubious">
>   WHY, in the name of all that is sane, would an image ever need to
>   contain scripts?  Yeesh, isn't anything just data anymore?  What
>   were the W3C people *thinking*?  There are so many quite *useful*
>   features SVG (or the existing editors for it, at any rate) does not
>   support, e.g., gradients that follow or stay perpendicular to a
>   spline rather than being linear or radial... why couldn't SVG
>   include *those* features, instead of something dangerous?
> </rant>

think about animation or interactive SVG images on a website (roll-over 
buttons)

>>I know perfectly well that none of the usual applications that will be
>>used with OpenClipart currently support scripting. 
> 
> 
> Good.  Let's hope it stays that way.  I'm a pretty imaginative guy,
> but off the top of my head I can't think of any valid reason for a
> clip art image to contain scripts.

animation is planned as a future feature in Inkscape 
http://inkscape.org/roadmap.php

> It seems to me that we will not have the resources to hand-examine
> every submission to ensure it is innocuous, so (barring an
> earthshattering breakthrough in AI research) if we take any
> precautions at all it will have to be stripping out all scripts of any
> kind, malware or not.  (Which, on the whole, doesn't sound like a
> terribly bad idea to me...  feel free to jump in and explain why we
> shouldn't do that, if you can think of any solid reasons.)

probably this is what we will do: strip all scripts

> 
> 
>>There are also possibly security concerns with rendering on the
>>server; 
> 
> 
> As far as I am aware, we do not do any rendering on the
> freedesktop.org server.  (Those PNG thumbnails you see when browsing
> the collection are generated as part of the release process, usually
> on somebody's desktop.)
> 
> 
>>does inkscape follow external references? 
> 
> 
> That I don't know.  Bryce might.

AFAIK, the current version of Inkscape could not create SVG with 
embedded images (i believe it can edit them) so those are linked as 
external files, but as you say, we don't have to worry about rendering 
on the server.

-- 
nicu

More information about the clipart mailing list