[Clipart] [Bug 3354] New: no scanning for malware

[bugzilla-daemon at freedesktop.org]

Please do not reply to this email: if you want to comment on the bug, go to    
       
the URL shown below and enter yourcomments there.     
   
https://bugs.freedesktop.org/show_bug.cgi?id=3354          
     
           Summary: no scanning for malware
           Product: openclipart.org
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: tools
        AssignedTo: clipart at lists.freedesktop.org
        ReportedBy: andrew.archibald at mail.mcgill.ca


SVG can contain javascript; few viewers currently execute this script, and all
(?) currently run it in an untrusted environment even if the file is loaded from
a local filesystem, but we can expect this to change as useful scripts appear in
SVG files.  In any case there are security holes in the script-executing
viewers. Thus it is possible for SVG to contain malware.

Currently, OCAL happily stores and redistributes SVG without any kind of
verification method, manual or automatic, to check for malware in SVG.

It is possible to write a script which simply rejects any script-containing
image; attached is a script which does so, although it is limited by the
presence of non-SVG XML in SVG files (such as inkscape-specific XML, metadata,
and Illustrator-specific XML, none of which can be reliably sanitized).          
     
     
--           
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email         
     
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.