让用户呈现自己的SVG文件的安全隐患 [英] Security implications of letting users render own SVG files

问题描述

我计划让网站用户上传自己的SVG文档，并使用inkscape或svg2pdf进行呈现.用户要么未经身份验证，要么经过微不足道的注册过程，因此我希望进行一些黑客尝试.因此，对于任何可以最大限度减少安全威胁的过滤方法，我将不胜感激.

I plan to let website users upload their own SVG documents and render them with inkscape or svg2pdf. The users will either be unauthenticated or go through a trivial sign-up process, so I would expect some hack attempts. I should therefore appreciate any pointers on what filtering I can do to minimise security threats.

• Inkscape似乎不受 JavaScript加载标签的困扰，并愉快地呈现了内容而没有任何不愉快的地方发生(也就是说，使用这种方法我都无法让Firefox 10发出警报框).
• 我担心<image xlink:href />标签可能会使用外部URI链接到巨大或格式错误的位图图像-从理论上讲，这可能会使服务崩溃.有没有一种遍历XML文档以筛选它们的简便方法?我当然可以使用XMLReader轻松地做到这一点，但是想知道是否可能需要处理onload之类的"onload"(尽管Firefox只是拒绝了它，因为它是无效的，所以也许这是不必要的担心).旁节点:图像本身是可以接受的，但是我想我要么要求它们要么是内联data:，要么将可接受的目标URI列入白名单，并且具有文件大小限制.
• 是否有任何SVG指令(特别是呈现文本的指令)可能包含系统文件的文本内容，例如/etc/passwd等?
• 我还可以采用的一种方法是针对SVG规范进行验证.这是我在此处问的另一个问题.. li>

• Inkscape doesn't seem to be bothered by JavaScript onload tags and happily renders the content without anything untoward happening (that said, I can't get Firefox 10 to cough up an alert box either using that approach).
• I am concerned that an <image xlink:href /> tag could link to a huge or malformed bitmap image using an external URI - which theoretically could crash the service. Is there an easy way to traverse the XML document to filter these? I can do this easily with XMLReader of course, but wonder if I might have to deal with things like onload for 'onload' (though Firefox just rejected it as invalid, so perhaps this is a needless worry). Sidenode: images in themselves are acceptable but I think I'd either require them to either be inline data: or whitelist acceptable target URIs, with filesize limitations.
• Are there any SVG directives (in particular that render text) that could include the text contents of system files, such as /etc/passwd etc?
• One approach I could also take is validation against the SVG spec. That's the subject of another question I've asked here.

我正在将PHP 5.2与XMLReader和XMLWriter一起使用，尽管其他基于PHP流的系统也是可以接受的.系统是用于开发人员的OS X 10.6.8，以及用于生产的LAMP.

I'm using PHP 5.2 with XMLReader and XMLWriter, though other PHP stream-based systems would be acceptable. Systems are OS X 10.6.8 for dev, and LAMP on production.

推荐答案

是否有任何SVG指令(特别是呈现文本的指令)可能包含系统文件的文本内容，例如/etc/passwd等?

Are there any SVG directives (in particular that render text) that could include the text contents of system files, such as /etc/passwd etc?

您需要确保您的特定实施无法进行XXE攻击，请参见此处.

You need to make sure XXE attacks are not possible for your specific implementation, see here.

这篇关于让用户呈现自己的SVG文件的安全隐患的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！