Have you ever thought about security issues? from Maxim Shemanarev on 2005-11-11 (www-svg@w3.org from November 2005)

From: Maxim Shemanarev <mcseem@antigrain.com>
Date: Fri, 11 Nov 2005 10:43:12 -0500
To: <www-svg@w3.org>
Message-ID: <002f01c5e6d6$a0730710$0202a8c0@mcseemxp1>

Consider the following recursive pattern in SVG:

==========================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100%" height="100%" viewBox="0 0 400 400"
     xmlns="http://www.w3.org/2000/svg" version="1.1">

  <defs>
    <pattern id="CirclePattern" patternUnits="objectBoundingBox"
             x="0" y="0" width="0.5" height="0.5"
             viewBox="0 0 100 100"
             >
      <circle cx="50" cy="50" r="50" stroke-width="5"
              fill="url(#CirclePattern)" stroke="blue" />
    </pattern>
  </defs>

  <rect fill="none" stroke="blue"
        x="1" y="1" width="398" height="398"/>

  <circle fill="url(#CirclePattern)" stroke="black" stroke-width="5"
           cx="200" cy="200" r="100"/>
</svg>
============================
It supposed to render the following:
http://antigrain.com/esv/recursive_pattern.png

It crashes Adobe SVG and leads to weird behaviour in Inkscape and Sketsa. 
The main problem is that it's a *classical security flaw* and I consider an 
SVG agent as not working if it doesn't handle these recursive things. They 
can be also markers, <use> elements, what else?

I'm afraid nobody has ever thought of it. Are there any recommendations from 
W3C?

McSeem

Received on Friday, 11 November 2005 15:43:17 UTC