Re: Is MathML really Dangerous? from Paul Libbrecht on 2015-12-04 (www-math@w3.org from December 2015)

From: Paul Libbrecht <paul@hoplahup.net>
Date: Fri, 04 Dec 2015 23:04:56 +0100
To: Physikerwelt <wiki@physikerwelt.de>
CC: www-math@w3.org
Message-ID: <56620E08.3010302@hoplahup.net>

Moritz,

Can an answer be read from the Media-Type registration's "Security
Concerns":
    http://www.w3.org/TR/MathML3/appendixb.html

>From there, one can probably read what can be removed to make MathML safe:
- remove anything that includes external content (e.g. DTD things,
styles, images, annotations),
- do not compute with it (or remove MathML-Content),
- remove foreign content (anything outside the MathML namespace and
probably all annotations).

This has been validated by readers of the ietf-media-type mailing-list,
I believe.

I'll note that the same requirement has been expressed for MathML to be
considered by the ClipOps spec https://w3c.github.io/clipboard-apis/
which is still in draft.

Are we not able to write a note that demonstrates such a security?

Paul
> Physikerwelt <mailto:wiki@physikerwelt.de>
> 4 décembre 2015 19:04
> Dear W3C Math WG,
>
> I wonder if there is a resilient security assessment for MathML. It
> would be nice, if there was at least a subset of MathML, for which the
> security was proven according to state-of-the-art of science and
> technology. For example I could imagine that only presentation MathML
> without a finite list of possible dangerous elements such as maction
> or annotation could be the secure MathML subset.
>
> The background of my question is that the Wikimedia Foundation
> considers opening the POST endpoint for converting several input
> formats (i.e. TeX, AsciMathML, and MathML) to MathML + SVG (+ PNG) [1]
> for the public[2].
> Currently this conversion endpoint it is only accessible from within
> the Wikimedia Foundation cluster and only accepts texvc* input.
>
> Best
>
> Moritz Schubotz
>
> [1]
> https://en.wikipedia.org/api/rest_v1/?doc#!/Math/post_media_math_check_type
> if you try this link you’ll get a “This client is not allowed to use
> the endpoint” exception rather than the security checked texvc output
> you receive in the unstable demo here
> http://math.beta.wmflabs.org:7231/math.beta.wmflabs.org/v1/?doc#!/Math/post_media_math_check_type
>
> [2] https://phabricator.wikimedia.org/T116147
>
> *) texvc is a well-defined subset of LaTeX with some custom macros.
>

Received on Friday, 4 December 2015 22:05:30 UTC