[Clipart] [Bug 3354] no scanning for malware

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri May 20 20:22:24 PDT 2005


Please do not reply to this email: if you want to comment on the bug, go to    
       
the URL shown below and enter yourcomments there.     
   
https://bugs.freedesktop.org/show_bug.cgi?id=3354          
     




------- Additional Comments From andrew.archibald at mail.mcgill.ca  2005-05-20 20:22 -------
For the script itself, it would not take long to create a more secure version
based on a RELAX NG specification of SVG (there are several quasi-free ones out
there) which would validate the SVG against a schema which did not permit
scripting.  At the same time it would check for bad SVG (things like rectangles
without coordinates and so on), use of other namespaces (Inkscape, illustrator,
and so on), and use of external resources (this could be a security issue also). 

However, I think it's better for the moment to work on getting some kind of
validation as part of the library. Upon reflection, I like the idea of having a
"malware-free" flag, as this allows easy scanning of old images, manual sorting
out of problem images, and so on.  I still think a step in the upload where the
uploader is asked "does this image look right?" is a good idea, and the
malware-scanning could happen at this time so that they know right away if
there's some problem with their image. 

So, I think this bug is waiting on the DMS: once the DMS is written, a quick
SOAP hack ought to do the job; integrating the malware scanner into the upload
script can happen any time after that.          
     
     
--           
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email         
     
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the clipart mailing list