[Clipart] Malware in clipart

David Illsley david at illsley.org
Mon Mar 14 09:05:06 PST 2005 

The w3c have a recent habit of producing 'profiles' of their 
specifications, there's a possibility that they've done this for SVG 
and there is an appropriate profile (or that they might be making one). 
I don't know, do we have anyone who follows the w3c svg working group 
on the list?

If there were then it would be much simpler to advertise that we accept 
'SVG-safe' (or whatever) documents.

David

On 14 Mar 2005, at 16:49, Andrew Archibald wrote:

> Jon Phillips wrote:
>
>> So, I think we should strip out any javascript in submissions. First
>> though, we need to think up how/where malware could be placed into our
>> submissions? Maybe we shouldn't even allow for external links in SVG
>> files we accept? We need to have a discussion about this.
>
> I wrote a preliminary tool, only to realize that the task was much 
> more complicated than I had thought.
>
> My knowledge of SVG is limited to its use as a clipart-like format, so 
> this is by no means definitive.  But there seem to be two places 
> scripts can occur: <script> elements, and certain attributes of tags 
> (onClick and suchlike). Removing the first is easy; removing the 
> second requires knowing which attricutes are okay and which are not.
>
> So I see two ways to write a sanitizer script:
>
> 1. Use an XML tool (I started with python-xml) to load the whole 
> document into a DOM tree.  Read the spec and make a list of acceptable 
> tags and attributes. The program then walks the tree and removes 
> anything not on the list.
>
> 2. Use XSLT.  I don't even know what it stands for, let alone how to 
> use it, but it seems to be designed for just this sort of operation.
>
> Both ways will badly mangle any SVG designed to use scripts to 
> display, but there's really no way around that.
>
> Validating against a DTD is probably a good idea too, both before and 
> after, in the interest of interoperability.  In fact, it might be 
> possible to construct a restricted DTD for "SVG static" which we could 
> then validate against as a check for the absence of scripts (and 
> animation).
>
>> Thanks Andrew for your post. I think we should look into this. Would 
>> you
>> be interested in helping us develop a tool to check and strip possible
>> malware from submissions?
>
> I am interested, but my knowledge of XML and SVG is limited.
>
> Andrew
> _______________________________________________
> clipart mailing list
> clipart at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/clipart
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3251 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/clipart/attachments/20050314/44b0cbd1/attachment.bin>

More information about the clipart mailing list