[Clipart] Malware in clipart

Andrew Archibald andrew.archibald at sympatico.ca
Sun Mar 13 12:49:50 PST 2005


SVG can contain scripts, particularly JavaScript but also Java and 
possibly other languages; it can also contain references to external 
objects. When run from the local filesystem, such objects are probably 
going to be run in a trusted fashion.  So malware in an SVG file could 
attack a user's computer.

Does OpenClipart take any precautions to ensure that it does not include 
malware in its collection?

I know perfectly well that none of the usual applications that will be 
used with OpenClipart currently support scripting. But there are 
applications that do, and it's a problem if a user gets bitten by 
running one of them on an openclipart image; it's a much worse problem 
if a user gets bitten by using one to look at a document containing an 
openclipart image. (Consider the following: I make an SVG company logo 
that includes a piece of openclipart. Someone looks at my company logo 
and it wipes their hard drive.)

There are also possibly security concerns with rendering on the server; 
does inkscape follow external references? if so, this poses security 
problems, from revealing private images to including goatse in images.

My reason for asking this question is this: Wikipedia refuses to store 
SVG files for fear that one will contain some malware.  I'm trying to 
change their minds, but it appears that an SVG sanitizer would be 
necessary. So I'm looking to find how you deal with the problem.


More information about the clipart mailing list