Support » Plugin: Scalable Vector Graphics (SVG) » SVG security

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author Sterling Hamilton

    (@sterlo)

    Hey thedwards!

    Great point. I am going to do some R&D on risks and assessments towards that.
    Do you have any documentations/references that I can use to jumpstart my own investigation so I can better educate the users?

    Plugin Author Sterling Hamilton

    (@sterlo)

    Here’s my basic understanding of risks related towards SVG files that go outside of standard file upload risks.

    http://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload

    I could put a note in the plugin that says something like:
    “Warning: Understanding that uploading any file to the system is a potential security risk, it is strongly recommended to only let trusted users to have upload privileges.”

    This would see to be a general bit of advice for all WordPress installs and not something exclusive to SVG material. I mean – most image formats can be exploited.

    How can I alter my notice above, to provide something of value?

    Thread Starter thedwards

    (@thedwards)

    I don’t have a lot references on SVG risks, the only thing I really have found is this video from 2011: https://www.youtube.com/watch?v=v-a77QdoK2I. That stackoverflow question also looks like it outlines the basic issues, at least in the accepted answer.

    Your note is good general advice, as you say. My main concern is that not enough people know SVG is not just an image media type. True that most image formats can be exploited, but a “while(true);” statement isn’t even an exploit in SVG and it locks up the browser. I think since this is a popular SVG upload plugin it’s a great place to mention that SVG is a bit more volatile than other image formats.

    Personally I would run all my SVG through a purifier but I haven’t had a situation where I need to allow SVG uploads. However SVG is definitely here to stay and I have been considering writing a plugin that does that.

    Thanks for your response, I appreciate your willingness to look into this.

    Plugin Author Sterling Hamilton

    (@sterlo)

    Thanks!

    I’ll watch that and formulate some action. Happy to put some general guidelines as a platform for security.

    Plugin Author Sterling Hamilton

    (@sterlo)

    Here’s what I’m adding:

    “Warning: Understanding that uploading any file to the system is a potential security risk, it is strongly recommended to only let trusted users to have upload privileges.

    Resources for understanding security risks:
    * http://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload
    * https://www.youtube.com/watch?v=v-a77QdoK2I

    Then after adding that note in the README.

    I can implement a scan on uploaded files to detect CSS/Javascript
    Then allow the users to have a checkbox that says “allow JS” and “allow CSS”. Potentially allow “Java” or maybe approach this from the other end “Allow things other than XML”.

    I need to noodle on this a bit.

    Thread Starter thedwards

    (@thedwards)

    Instead of writing your own, you might want to look around for a SVG sanitizer that has a few contributors. I am not very familiar with this myself, but it seems like there are a few out there.

    Plugin Author Sterling Hamilton

    (@sterlo)

    Good idea.

    Plugin Author Sterling Hamilton

    (@sterlo)

    We’ll try this and see how it goes: https://github.com/alister-/SVG-Sanitizer

    I think whitelisting is a good approach.

    Thread Starter thedwards

    (@thedwards)

    Yes, I saw that one too. I agree whitelist is probably best. Also it is nice to use the built in PHP parser.

    I actually expected to find a number of scripts, but I guess SVG does not have enough popularity yet.

    Plugin Author Sterling Hamilton

    (@sterlo)

    Solution created/implemented.

    I’ll deploy this shortly.

    Thanks for bringing it up! If you see room for improvement — please reach out again.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘SVG security’ is closed to new replies.