W3C home > Mailing lists > Public > www-math@w3.org > December 2015

Re: Is MathML really Dangerous?

From: Neil Soiffer <NeilS@dessci.com>
Date: Fri, 4 Dec 2015 14:53:03 -0800
Message-ID: <CAESRWkCiJhPC7dvxwwRKNEJshz=Jf3jMWGy2dny5xvvNUE2GTQ@mail.gmail.com>
To: Paul Libbrecht <paul@hoplahup.net>
Cc: Physikerwelt <wiki@physikerwelt.de>, "www-math@w3.org" <www-math@w3.org>
MathML is a spec, not an implementation. The main security issues arise due
to the implementations. It is sort of like asking, "is HTML safe"? There
are some potential security vulnerabilities in the HTML spec due to links,
etc, but the main security issues depend on the implementation. Is Chrome
safe? Safrari? Firefox? IE? Given that they keep putting out security
patches, the answer is almost certainly "none is 100% safe."

As Paul Topping noted, the Chrome team found a *potential *security problem
in the MathML implementation (in WebKit) and yanked MathML. Safari just
fixed the problem and kept MathML in their browser. It had nothing to do
with a vulnerability in the spec, it was an implementation detail.

Paul Libbrecht already noted that appendix B of the spec (
http://www.w3.org/TR/MathML3/appendixb.html) lists some potential
vulnerabilities. These really don't differ from HTML vulnerabilities with
the exception that doing a computation with them exposes you to the
vulnerabilities of the computation system you use.

Neil Soiffer
Senior Scientist
Design Science, Inc.
~ Makers of MathType, MathFlow, MathPlayer, MathDaisy, Equation Editor ~

On Fri, Dec 4, 2015 at 2:04 PM, Paul Libbrecht <paul@hoplahup.net> wrote:

> Moritz,
> Can an answer be read from the Media-Type registration's "Security
> Concerns":
>     http://www.w3.org/TR/MathML3/appendixb.html
> >From there, one can probably read what can be removed to make MathML safe:
> - remove anything that includes external content (e.g. DTD things, styles,
> images, annotations),
> - do not compute with it (or remove MathML-Content),
> - remove foreign content (anything outside the MathML namespace and
> probably all annotations).
> This has been validated by readers of the ietf-media-type mailing-list, I
> believe.
> I'll note that the same requirement has been expressed for MathML to be
> considered by the ClipOps spec https://w3c.github.io/clipboard-apis/
> which is still in draft.
> Are we not able to write a note that demonstrates such a security?
> Paul
> Physikerwelt <wiki@physikerwelt.de>
> 4 décembre 2015 19:04
> Dear W3C Math WG,
> I wonder if there is a resilient security assessment for MathML. It
> would be nice, if there was at least a subset of MathML, for which the
> security was proven according to state-of-the-art of science and
> technology. For example I could imagine that only presentation MathML
> without a finite list of possible dangerous elements such as maction
> or annotation could be the secure MathML subset.
> The background of my question is that the Wikimedia Foundation
> considers opening the POST endpoint for converting several input
> formats (i.e. TeX, AsciMathML, and MathML) to MathML + SVG (+ PNG) [1]
> for the public[2].
> Currently this conversion endpoint it is only accessible from within
> the Wikimedia Foundation cluster and only accepts texvc* input.
> Best
> Moritz Schubotz
> [1]
> https://en.wikipedia.org/api/rest_v1/?doc#!/Math/post_media_math_check_type
> if you try this link you’ll get a “This client is not allowed to use
> the endpoint” exception rather than the security checked texvc output
> you receive in the unstable demo here
> http://math.beta.wmflabs.org:7231/math.beta.wmflabs.org/v1/?doc#!/Math/post_media_math_check_type
> [2] https://phabricator.wikimedia.org/T116147
> *) texvc is a well-defined subset of LaTeX with some custom macros.
Received on Friday, 4 December 2015 22:53:34 UTC

This archive was generated by hypermail 2.3.1 : Friday, 4 December 2015 22:53:34 UTC