https://bugzilla.wikimedia.org/show_bug.cgi?id=65724
--- Comment #3 from Christian <[email protected]> --- I've tried uploading the old upload form, but get reproducable Gateway timeout (my upstream is at 1mbit). This is why I've tried chunked upload. As for specifically disabling external images for SVGs: Why? You're breaking the standard doing this. This is a security issue of the respective JPG or PNG libraries you're talking about. They need to be as recent and as secure as possible for this. If they are not, then an "attacker" (i.e. commons user) could simply upload his/her malicious png/jpg using the upload form and the image would be processes by those same libraries anyway (!) A just reason for refraining HTTP(S) references in librsvg would be the abscence of a guarantee on availability of the external resource over time. This could be solved using two methods, the second one being the stricter one: 1) cache external refs on thumbnail generation, check for updates on external server on thumbnail re-generation 2) allow external refs to images residing on wikimedia servers only The second method should be achievable even without a regexp match by simply doing a "starts with" check on the "xlink:href" value for "http://commons.wikimedia.org/"; or "http://commons.wikimedia.org/";, virtually this would not cost any performance. If a regexp check is tolerable performance-wise, then support for subprojects of the wikimedia eco-system might be included as well. _________ Ultimate security is a black box. Wikipedia is about sharing. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
