From: Neil Soiffer <NeilS@dessci.com>

Date: Fri, 4 Dec 2015 14:53:03 -0800

Message-ID: <CAESRWkCiJhPC7dvxwwRKNEJshz=Jf3jMWGy2dny5xvvNUE2GTQ@mail.gmail.com>

To: Paul Libbrecht <paul@hoplahup.net>

Cc: Physikerwelt <wiki@physikerwelt.de>, "www-math@w3.org" <www-math@w3.org>

Date: Fri, 4 Dec 2015 14:53:03 -0800

Message-ID: <CAESRWkCiJhPC7dvxwwRKNEJshz=Jf3jMWGy2dny5xvvNUE2GTQ@mail.gmail.com>

To: Paul Libbrecht <paul@hoplahup.net>

Cc: Physikerwelt <wiki@physikerwelt.de>, "www-math@w3.org" <www-math@w3.org>

MathML is a spec, not an implementation. The main security issues arise due to the implementations. It is sort of like asking, "is HTML safe"? There are some potential security vulnerabilities in the HTML spec due to links, etc, but the main security issues depend on the implementation. Is Chrome safe? Safrari? Firefox? IE? Given that they keep putting out security patches, the answer is almost certainly "none is 100% safe." As Paul Topping noted, the Chrome team found a *potential *security problem in the MathML implementation (in WebKit) and yanked MathML. Safari just fixed the problem and kept MathML in their browser. It had nothing to do with a vulnerability in the spec, it was an implementation detail. Paul Libbrecht already noted that appendix B of the spec ( http://www.w3.org/TR/MathML3/appendixb.html) lists some potential vulnerabilities. These really don't differ from HTML vulnerabilities with the exception that doing a computation with them exposes you to the vulnerabilities of the computation system you use. Neil Soiffer Senior Scientist Design Science, Inc. www.dessci.com ~ Makers of MathType, MathFlow, MathPlayer, MathDaisy, Equation Editor ~ On Fri, Dec 4, 2015 at 2:04 PM, Paul Libbrecht <paul@hoplahup.net> wrote: > Moritz, > > Can an answer be read from the Media-Type registration's "Security > Concerns": > http://www.w3.org/TR/MathML3/appendixb.html > > >From there, one can probably read what can be removed to make MathML safe: > - remove anything that includes external content (e.g. DTD things, styles, > images, annotations), > - do not compute with it (or remove MathML-Content), > - remove foreign content (anything outside the MathML namespace and > probably all annotations). > > This has been validated by readers of the ietf-media-type mailing-list, I > believe. > > I'll note that the same requirement has been expressed for MathML to be > considered by the ClipOps spec https://w3c.github.io/clipboard-apis/ > which is still in draft. > > Are we not able to write a note that demonstrates such a security? > > Paul > > Physikerwelt <wiki@physikerwelt.de> > 4 décembre 2015 19:04 > Dear W3C Math WG, > > I wonder if there is a resilient security assessment for MathML. It > would be nice, if there was at least a subset of MathML, for which the > security was proven according to state-of-the-art of science and > technology. For example I could imagine that only presentation MathML > without a finite list of possible dangerous elements such as maction > or annotation could be the secure MathML subset. > > The background of my question is that the Wikimedia Foundation > considers opening the POST endpoint for converting several input > formats (i.e. TeX, AsciMathML, and MathML) to MathML + SVG (+ PNG) [1] > for the public[2]. > Currently this conversion endpoint it is only accessible from within > the Wikimedia Foundation cluster and only accepts texvc* input. > > Best > > Moritz Schubotz > > [1] > https://en.wikipedia.org/api/rest_v1/?doc#!/Math/post_media_math_check_type > if you try this link you’ll get a “This client is not allowed to use > the endpoint” exception rather than the security checked texvc output > you receive in the unstable demo here > > http://math.beta.wmflabs.org:7231/math.beta.wmflabs.org/v1/?doc#!/Math/post_media_math_check_type > > [2] https://phabricator.wikimedia.org/T116147 > > *) texvc is a well-defined subset of LaTeX with some custom macros. > > >Received on Friday, 4 December 2015 22:53:34 UTC

*
This archive was generated by hypermail 2.3.1
: Friday, 4 December 2015 22:53:34 UTC
*