Re: Have you ever thought about security issues?

On 11/11/05 10:41 AM, Maxim Shemanarev wrote:
> Anyway, there's a choice if you control the level of recursion (and it's 
> a must IMO). You can report an error and stop, or you can keep rendering 
> until some level of recursion is exceeded. I don't see any other elegant 
> way of detecting the loops, because they can have any level of 
> indirection (a pattern refers to another pattern that refers to another 
> pattern, etc... and the first pattern refers to the first one).
> BTW, is that legal to have *nested* patterns/markers at all in SVG? I 
> think it should be, but some agents don't do that. For example, FireFox 
> SVG doesn't draw nested markers (it doesn't draw patterns at all, though).

Firefox can render nested markers just fine, as can Batik and ASV.  The 
trunk development of Firefox (not the 1.5 release branch) does implement 
<pattern>, though with some artifacts that seem at first glance to be 
caused by cairo.

We've added a number of checks to prevent reference looping, though if 
you find some way of tricking it into an infinite loop we'd like to hear 
about it.  <pattern> isn't currently protected - patch pending.


Received on Friday, 11 November 2005 17:12:10 UTC