[Clipart] Malware in clipart

Andrew Archibald andrew.archibald at sympatico.ca
Tue Mar 15 09:04:49 PST 2005

Stephen Silver wrote:
> Jonadab wrote:
>>>As far as I can tell, any SVG file with a script element must
>>>contain "<script" or ":script" (or maybe ";script").  
>>They could not contain scripts in attributes, such as onclick,
>>onmouseover, onmouseout, onmousedown, onmouseup, onfocus, onblur,
>>onrollover, onload, onunload, et cetera, ad infinitum, ad bedlam?
> Yes, I forgot that the scripts could be entirely contained in
> attributes.  There are 19 such attributes listed in the SVG spec.
> I checked yesterday that none of these attributes are used in SVG
> files in the current release.  As before, this check was done
> with grep, so it depends on the files being in UTF-8 (and Andrew
> Archibald says that they can be hidden from grep anyway - I would
> be interested to see how this can be done).

I have a script that will remove (and report the presence of) scripts from any 
conforming SVG document that contains only SVG.  It only works on SVG 1.1 (just 
beacuse I haven't extracted lists of scripting keywords from SVG 1.2).  It 
takes the riskier but much shorter whitelist approach.  It uses python 2.3, but 
   could easily be ported to an earlier version.

Its current limitations are (also listed in the script itself):
* Does not validate the SVG against the DTD
* Neither detects nor deals with documents that may contain non-SVG XML

On the other hand, it's extremely simple, and cannot be fooled by XML hackery 
involving character sets and entities.

I don't recommnd it as a final version, but it may serve as a useful point in 
the discussion.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: script-remove.py
Type: application/x-python
Size: 2016 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/clipart/attachments/20050315/a410d511/attachment.bin>

More information about the clipart mailing list