[WONTFIX] SVG is as evil as ZIP
Friday, March 15, 2013 - 00:42
Following svg file should open a pop up then (after you press OK) redirect you to flare windows archive. Effectively it makes you download a zip file.
Attachments:
Following svg file should open a pop up then (after you press OK) redirect you to flare windows archive. Effectively it makes you download a zip file.
You can make someone download a zip file with a plain HTML link, too.
Instead of ZIP, it could have been EXE. So people might run it thinking that the file they just downloaded was SVG file.
You can also do the same with a html link but no one would expect their browsers to download a html file.
IMO, no one on OGA is dumb enough to click on EXE downloaded offsite, thinking it is the SVG file they downloaded from OGA.
But you are saying that they are dumb enough to click on an EXE in a ZIP file which they knowingly downloaded from OGA.
You're reading an awful lot into that one little statement. That said, I was being snarky and I should have gone into a bit more detail.
The reason I allow ZIP files at all isn't because I want people to upload executable files to OGA, it's because I understand that there are tons of different art formats out there, some more esoteric than others. While I don't necessarily want to encourage people to use strange formats (by explicitly listing them in the allowed file upload formats), I don't necessarily want to prohibit them either. But that's just on art submissions.
The reason I allow file attachments to forum posts at all is to facilitate discussion about art. I'm perfectly happy with people discussing code as well, but I don't want to get into the business of hosting people's random files in a section of the site that doesn't receive nearly as much public scrutiny as the art section does. I don't have time to vet everything myself, and a lot more people see art submissions than forum posts. I'd also prefer to avoid having people post a zip on the forum and then hotlink it from other sites. OGA is an art hosting website, not a code hosting website. There are other sites that are perfectly happy to host your code and your executables, and you're more than welcome to link to those sites in your forum posts.
It makes sense now. Thanks for the lengthy explanation
I don't see how this is "evil" though? I mean, the user still gets a pop up asking if they want to download, and they'd be asked again before opening/running it, with the usual warnings that Windows gives. As said above, auto-downloads can be done with a webpage, so most users should be used to the idea (albeit it's a bit unconventional with an svg file).
I don't think clicking on the svg alone could the exe to run?
Yes, it's true that one can circumvent the restriction on uploading exe files, but then one could do that by uploading a zip too, and I guess one has to be pragmatic - there's little point allowing exes on a site for art, but you can't stop people distributing one in another form, without restricting useful types like zip and svg.
Interesting point about svgs - I knew you could embed raster images (rather than the vector style they usually are for), I didn't know about embedding any file though.
The ZIP archive is not included in the SVG -- it just contains a <script> tag with
window.location = "https://github.com/downloads/clintbellanger/flare-game/flare_win_v017_1.zip";
That being said, while I'm against forbidding SVG forum attachements, I guess it wouldn't hurt to sanitize the files on upload in order to strip all <script> tags and all exploits that allow to execute Javascript.
What I've seen done in cases like that is that the files (SVG files in this case) are hosted on a different domain, so that accessing cookies and other things are impossible (for the website's domain).
There are uses for Javascript in SVG, one of which is animations.
Maybe SVG files with Javascript tags should have a different mime-type so they are downloaded instead of displayed?
Actually this is very interesting and should be fixed; not just here but in browsers, inkscape etc.. Not to disable JS entirely, but to sanitize it. I did not realize the use case of malicious SVGs until just now... http://www.securitytube.net/video/5533
Also - http://blog.jondh.me.uk/2012/09/inkscape-xml-entity-vulnerabilities/
Someone should make a very good PHP Sanitizing LIB for SVGs and the problem would be solved for everyone. :)