Re: [E-devel] Insecure SVG loader test

2010-08-15 Thread Albin Tonnerre
On Sun, 15 Aug 2010 07:00 +0200, vto...@univ-evry.fr wrote : > Quoting Albin Tonnerre : > > > you can test that only at runtime and not at configure time, as someone > can add > the svg loader (as a shared lib) after an installation of evas. So it can only > be after testing a svg file, I think.

Re: [E-devel] Insecure SVG loader test

2010-08-14 Thread vtorri
Quoting Albin Tonnerre : > On Sat, 14 Aug 2010 23:46 +0200, Joerg Sonnenberger wrote : >> On Sat, Aug 14, 2010 at 11:35:13PM +0200, Albin Tonnerre wrote: >> > - If efreet returns an SVG icon when SVG rendering is not >> compiled in evas, >> >then you get no icon where an xpm icon (which coul

Re: [E-devel] Insecure SVG loader test

2010-08-14 Thread The Rasterman
On Sun, 15 Aug 2010 00:17:40 +0200 Albin Tonnerre said: > On Sat, 14 Aug 2010 23:46 +0200, Joerg Sonnenberger wrote : > > On Sat, Aug 14, 2010 at 11:35:13PM +0200, Albin Tonnerre wrote: > > > - If efreet returns an SVG icon when SVG rendering is not compiled in > > > evas, then you get no icon w

Re: [E-devel] Insecure SVG loader test

2010-08-14 Thread Albin Tonnerre
On Sat, 14 Aug 2010 23:46 +0200, Joerg Sonnenberger wrote : > On Sat, Aug 14, 2010 at 11:35:13PM +0200, Albin Tonnerre wrote: > > - If efreet returns an SVG icon when SVG rendering is not compiled in evas, > >then you get no icon where an xpm icon (which could have been rendered > >correct

Re: [E-devel] Insecure SVG loader test

2010-08-14 Thread Joerg Sonnenberger
On Sat, Aug 14, 2010 at 11:35:13PM +0200, Albin Tonnerre wrote: > - If efreet returns an SVG icon when SVG rendering is not compiled in evas, >then you get no icon where an xpm icon (which could have been rendered >correctly) might have existed. OK > - Since there is no way to ask evas

Re: [E-devel] Insecure SVG loader test

2010-08-14 Thread Albin Tonnerre
On Sat, 14 Aug 2010 23:13 +0200, Joerg Sonnenberger wrote : > hi all, > in src/bin/e_main.c there is this wonderful gem _e_main_test_svg_loader. > Writting a hard-coded XML file to a known location is just asking for > trouble. It basically means that anyone with write access to /tmp can > make the