ubuntu-appstore-developers team mailing list archive

[Rodney Dawes <rodney.dawes@xxxxxxxxxxxxx>]

On Tue, 2014-04-22 at 17:59 +0200, Jonas Drange wrote:
> 
> 
> On Tue, Apr 22, 2014 at 5:43 PM, Rodney Dawes
> <rodney.dawes@xxxxxxxxxxxxx> wrote:
>         My suggestion wasn't to replace all the PNGs with SVGs. In
>         some cases
>         that's just not feasible, because the images were drawn with
>         raster
>         editors anyway. But making SVG an option on upload, will let
>         people who
>         want to use it, use it, and can certainly help reduce file
>         size for
>         transferring the icon. I'd certainly want to be able to use it
>         for any
>         apps I were to make.
> 
> 
> Aren't user uploaded SVGs a potential security risk? Is it possible to
> completely sanitize an SVG document?

How so? Sure it's possible to sanitize it. But I don't see how it's any
more of a security risk than someone uploading a PNG or JPEG that
exploits a problem in libpng or libjpeg.

Is it any worse than uploading a click package that does evil things?
Should we be running code in apps through sanity checkers as well as the
artwork?