On Dec 1, 2009, at 6:07 PM, Nikolas Zimmermann wrote:
> I'd like to enable SVG FIlters support by default. This is the last remaining
> piece before we can officially claim SVG 1.0/1.1 support, in our SVG DOM
> implementation (through SVG requiredFeatures/requiredExtensions
> functionality).
>
> Dirk has done an amazing job, providing most of our new cross-platform filter
> support. In previous discussions, security concerns have been raised, as the
> code is doing pixel-manipulations, with web content as input, so it's a place
> that needs special attention. Oliver specifically asked for a person not
> involved in reviewing the patches, but a 3rd party to check the code for
> potential problems.
>
> What do you think about this approach? Would anyone volunteer, for having a
> look over the existing filters code in trunk?
> Does anyone see other problems with turning on filters?
If this is in good shape, I’d love to see this turned on in nightly builds,
especially if have lots of good regression tests for it. It’s good to have the
code tested and lived on for a while.
I think it would be great for us to figure out what type of testing and
reviewing we need to do to be confident enough of the security of the code to
turn it on for releases such as the WebKit that comes with a future version of
Safari.
At a high level it sounds great for someone to check this for security
problems, but it’s not obvious to me that someone will be available and have
the skills to do it.
What kinds of tests do we have for the code already? Do we have code that tries
to exercise edge cases? Do we have a fuzzer of some sort?
-- Darin
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
