On Tue, Dec 11, 2012 at 01:47:36AM +0530, Ajay Garg wrote: > In my current approach, a file in "icon_files" folder is not removed > ever, once it is written.
So I can attack a user (denial of service) by providing an .xo file with a very very large .svg file in it, and there is nothing the user can do ... in Sugar ... to escape from the situation. It is an added security vulnerability. So, Nak. As an example, http://dev.laptop.org/~quozl/denial-of-service.zip is an old activity of mine with the .svg file replaced by 1 GB of zero bytes, which compresses nicely. When this file is renamed to .xo and downloaded with Sugar is to result in 1 MB of download data, and in 2 GB of storage loss; 1 GB for the activity/*.svg files, and 1 GB for the /icon_files/ -- James Cameron http://quozl.linux.org.au/ _______________________________________________ Sugar-devel mailing list [email protected] http://lists.sugarlabs.org/listinfo/sugar-devel
