Well, I can't think how to overcome this :D If this is indeed an issue, I can only begin to think the catastrophe that this could cause in the earlier implementation (writing multiple files. per-activity-per-rendering-in-listview).
On Tue, Dec 11, 2012 at 2:09 AM, James Cameron <[email protected]> wrote: > On Tue, Dec 11, 2012 at 01:47:36AM +0530, Ajay Garg wrote: > > In my current approach, a file in "icon_files" folder is not removed > > ever, once it is written. > > So I can attack a user (denial of service) by providing an .xo file > with a very very large .svg file in it, and there is nothing the user > can do ... in Sugar ... to escape from the situation. > > It is an added security vulnerability. > > So, Nak. > > As an example, http://dev.laptop.org/~quozl/denial-of-service.zip is > an old activity of mine with the .svg file replaced by 1 GB of zero > bytes, which compresses nicely. When this file is renamed to .xo and > downloaded with Sugar is to result in 1 MB of download data, and in 2 > GB of storage loss; 1 GB for the activity/*.svg files, and 1 GB for > the /icon_files/ > > -- > James Cameron > http://quozl.linux.org.au/ > Regards, Ajay Garg Dextrose Developer Activity Central: http://activitycentral.com
_______________________________________________ Sugar-devel mailing list [email protected] http://lists.sugarlabs.org/listinfo/sugar-devel
