[Clipart] Malware in clipart
Andrew Archibald
andrew.archibald at sympatico.ca
Sun Mar 13 12:49:50 PST 2005
Hi,
SVG can contain scripts, particularly JavaScript but also Java and
possibly other languages; it can also contain references to external
objects. When run from the local filesystem, such objects are probably
going to be run in a trusted fashion. So malware in an SVG file could
attack a user's computer.
Does OpenClipart take any precautions to ensure that it does not include
malware in its collection?
I know perfectly well that none of the usual applications that will be
used with OpenClipart currently support scripting. But there are
applications that do, and it's a problem if a user gets bitten by
running one of them on an openclipart image; it's a much worse problem
if a user gets bitten by using one to look at a document containing an
openclipart image. (Consider the following: I make an SVG company logo
that includes a piece of openclipart. Someone looks at my company logo
and it wipes their hard drive.)
There are also possibly security concerns with rendering on the server;
does inkscape follow external references? if so, this poses security
problems, from revealing private images to including goatse in images.
My reason for asking this question is this: Wikipedia refuses to store
SVG files for fear that one will contain some malware. I'm trying to
change their minds, but it appears that an SVG sanitizer would be
necessary. So I'm looking to find how you deal with the problem.
Thanks,
Andrew
More information about the clipart
mailing list