https://bugzilla.wikimedia.org/show_bug.cgi?id=65724
--- Comment #5 from Bawolff (Brian Wolff) <[email protected]> --- (In reply to Christian from comment #3) > I've tried uploading the old upload form, but get reproducable Gateway > timeout (my upstream is at 1mbit). This is why I've tried chunked upload. > > > As for specifically disabling external images for SVGs: Why? You're > breaking the standard doing this. This is a security issue of the > respective JPG or PNG libraries you're talking about. They need to be as > recent and as secure as possible for this. > > If they are not, then an "attacker" (i.e. commons user) could simply upload > his/her malicious png/jpg using the upload form and the image would be > processes by those same libraries anyway (!) > > > A just reason for refraining HTTP(S) references in librsvg would be the > abscence of a guarantee on availability of the external resource over time. > This could be solved using two methods, the second one being the stricter > one: > > 1) cache external refs on thumbnail generation, check for updates on > external server on thumbnail re-generation > > 2) allow external refs to images residing on wikimedia servers only > > > The second method should be achievable even without a regexp match by simply > doing a "starts with" check on the "xlink:href" value for > "http://commons.wikimedia.org/"; or "http://commons.wikimedia.org/";, > virtually this would not cost any performance. If a regexp check is > tolerable performance-wise, then support for subprojects of the wikimedia > eco-system might be included as well. > > > _________ > Ultimate security is a black box. Wikipedia is about sharing. Its hardly an unreasonable burden, given that commons considers embedding raster files in svgs innappropiate in most cases that they are used. This isnt the right place for arguing about this (since its off topic for this specific bug report). Bring it up on wikitech-l if you feel strongly about it. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
