[E-devel] Insecure SVG loader test
hi all, in src/bin/e_main.c there is this wonderful gem _e_main_test_svg_loader. Writting a hard-coded XML file to a known location is just asking for trouble. It basically means that anyone with write access to /tmp can make the E17 user overwrite a file with permissions of the user. It also creates race conditions for multiple users. Any reason why this piece of code is needed at all? While looking at seemingly redundant code: why is e_fm_mime_icon_get not using efreet? Joerg -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] Insecure SVG loader test
On Sat, 14 Aug 2010 23:13 +0200, Joerg Sonnenberger wrote : > hi all, > in src/bin/e_main.c there is this wonderful gem _e_main_test_svg_loader. > Writting a hard-coded XML file to a known location is just asking for > trouble. It basically means that anyone with write access to /tmp can > make the E17 user overwrite a file with permissions of the user. It also > creates race conditions for multiple users. Thanks for sending this. I think I mentionned it on IRC at one point, and then forgot about it. > Any reason why this piece of > code is needed at all? That's a little bit complicated: - The freedesktop.org spec says that SVG icons lookup is optional, but if it is supported, then the lookup order is png -> svg -> xpm - If efreet returns an SVG icon when SVG rendering is not compiled in evas, then you get no icon where an xpm icon (which could have been rendered correctly) might have existed. - Since there is no way to ask evas if SVG support is available (which I think is a mistake), you need to do some kind of runtime detection. - Right now, the only practical way to do that is using some voodoo: create a dummy file and try to load it. To sum it up: it's here because such kind of tests are the only way to check whether Evas supports a particular format. Or at least, so were they when the patch got commited. Cheers, -- Albin Tonnerre -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] Insecure SVG loader test
On Sat, Aug 14, 2010 at 11:35:13PM +0200, Albin Tonnerre wrote: > - If efreet returns an SVG icon when SVG rendering is not compiled in evas, >then you get no icon where an xpm icon (which could have been rendered >correctly) might have existed. OK > - Since there is no way to ask evas if SVG support is available (which I > think >is a mistake), you need to do some kind of runtime detection. Yes, that's bad. > - Right now, the only practical way to do that is using some voodoo: create a >dummy file and try to load it. Why not use install the dummy file to a known location and try loading it that way? share/enlightenment/data/icons/dummy.svg or so. Joerg -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] Insecure SVG loader test
On Sat, 14 Aug 2010 23:46 +0200, Joerg Sonnenberger wrote : > On Sat, Aug 14, 2010 at 11:35:13PM +0200, Albin Tonnerre wrote: > > - If efreet returns an SVG icon when SVG rendering is not compiled in evas, > >then you get no icon where an xpm icon (which could have been rendered > >correctly) might have existed. > > OK > > > - Since there is no way to ask evas if SVG support is available (which I > > think > >is a mistake), you need to do some kind of runtime detection. > > Yes, that's bad. > > > - Right now, the only practical way to do that is using some voodoo: > > create a > >dummy file and try to load it. > > Why not use install the dummy file to a known location and try loading > it that way? share/enlightenment/data/icons/dummy.svg or so. I can't recall, and like I said I'd much rather have Evas being able to expose the information. But if it's not going to happen, then the file should either be shipped with e17 or created in a more secure manner (I'd prefer that, but that's a matter of personal taste). Cheers, -- Albin Tonnerre -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] Insecure SVG loader test
On Sun, 15 Aug 2010 00:17:40 +0200 Albin Tonnerre said: > On Sat, 14 Aug 2010 23:46 +0200, Joerg Sonnenberger wrote : > > On Sat, Aug 14, 2010 at 11:35:13PM +0200, Albin Tonnerre wrote: > > > - If efreet returns an SVG icon when SVG rendering is not compiled in > > > evas, then you get no icon where an xpm icon (which could have been > > > rendered correctly) might have existed. > > > > OK > > > > > - Since there is no way to ask evas if SVG support is available (which I > > > think is a mistake), you need to do some kind of runtime detection. > > > > Yes, that's bad. > > > > > - Right now, the only practical way to do that is using some voodoo: > > > create a dummy file and try to load it. > > > > Why not use install the dummy file to a known location and try loading > > it that way? share/enlightenment/data/icons/dummy.svg or so. > > I can't recall, and like I said I'd much rather have Evas being able to expose > the information. But if it's not going to happen, then the file should either > be shipped with e17 or created in a more secure manner (I'd prefer that, but > that's a matter of personal taste). that's precisely how the other tests work. e ships a small set of test images. see data.images/test.png, test.jpg, test.edj etc. - e_main has a snippet to test this. the "write out xml to /tmp" is wrong... jeffdameth! :) -- - Codito, ergo sum - "I code, therefore I am" -- The Rasterman (Carsten Haitzler)ras...@rasterman.com -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] Insecure SVG loader test
Quoting Albin Tonnerre : > On Sat, 14 Aug 2010 23:46 +0200, Joerg Sonnenberger wrote : >> On Sat, Aug 14, 2010 at 11:35:13PM +0200, Albin Tonnerre wrote: >> > - If efreet returns an SVG icon when SVG rendering is not >> compiled in evas, >> >then you get no icon where an xpm icon (which could have been rendered >> >correctly) might have existed. >> >> OK >> >> > - Since there is no way to ask evas if SVG support is available >> (which I think >> >is a mistake), you need to do some kind of runtime detection. >> >> Yes, that's bad. >> >> > - Right now, the only practical way to do that is using some >> voodoo: create a >> >dummy file and try to load it. >> >> Why not use install the dummy file to a known location and try loading >> it that way? share/enlightenment/data/icons/dummy.svg or so. > > I can't recall, and like I said I'd much rather have Evas being able > to expose > the information. But if it's not going to happen, then the file should either > be shipped with e17 or created in a more secure manner (I'd prefer that, but > that's a matter of personal taste). you can test that only at runtime and not at configure time, as someone can add the svg loader (as a shared lib) after an installation of evas. So it can only be after testing a svg file, I think. Vincent This message was sent using IMP, the Internet Messaging Program. -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] Insecure SVG loader test
On Sun, 15 Aug 2010 07:00 +0200, vto...@univ-evry.fr wrote : > Quoting Albin Tonnerre : > > > you can test that only at runtime and not at configure time, as someone > can add > the svg loader (as a shared lib) after an installation of evas. So it can only > be after testing a svg file, I think. There's no doubt about that. The question was whether the test file should be shipped with e17, or created on the fly. In both cases, we end up doing runtime checks though. Cheers, -- Albin Tonnerre -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
