Page MenuHomePhabricator
Create Task
Maniphest T407710

Allow Lua access to source code of SVG files
Open, Needs TriagePublicFeature
Actions

Description

In T405861#11285988, @Bawolff wrote:

I think the next obvious question is can we make mw.title.new("Media:foo.svg"):getContent() return the text of the svg if the file is below a certain size. Then we could have lua do post processing on svg files, to e.g. change the colour of something.

More generally it would be kind of cool to allow lua access to (small) uploaded files. You could imagine allowing uploads of csv files as an alternative to jsonData.

In T405861#11286578, @SD0001 wrote:

A more reasonable API might be as part of file metadata: mw.title.new("File:foo.svg").file.source, so that's it's recorded as a file usage. Or even better: mw.svg.newFromFile("foo.svg").

Related Objects

Event Timeline

SD0001 created this task.Sun, Oct 19, 4:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSun, Oct 19, 4:37 PM
SD0001 mentioned this in T405861: Add support for generating static SVG images via Scribunto.Sun, Oct 19, 4:57 PM
IKhitron awarded a token.Sun, Oct 19, 5:05 PM
Maintenance_bot added a project: Commons.Sun, Oct 19, 5:30 PM
Izno subscribed.Sun, Oct 19, 6:10 PM

Does this not run into the same security issue as described in T5593: [Epic] SVG client side rendering regarding scripts potentially uploaded before the dawn of sanitization?

Bawolff added a comment.EditedSun, Oct 19, 6:55 PM
In T407710#11288105, @Izno wrote:

Does this not run into the same security issue as described in T5593: [Epic] SVG client side rendering regarding scripts potentially uploaded before the dawn of sanitization?

Not really. The security of this is based on the idea that SVGs are being run in "secure animated mode" https://svgwg.org/specs/integration/#secure-animated-mode so sanitization is not really relavent.

Quite frankly it doesn't matter on the other ticket either. The risky part of SVGs is them being on upload.wikimedia.org. Using them on site in an <img> tag is not risky.

If there were malicious svgs from before the dawn of sanitization, it would be a problem *right now* because they are on upload.wikimedia.org which is where the risk is. Contrary to popular opinion, upload.wikimedia.org is not properly isolated from the main site so having malicious svgs there would be bad (And nobody seems particularly interested in fixing that, sadly).

The only thing that would increase risk here is if you could use the <svg> tags directly on a page instead of in an <img> tag. However i don't think anyone is proposing that in any of these tickets.

Edit: There is a minor risk in this scheme, where the user could right-click the image, and select download file, and then view the file locally, which if malicious might reveal their IP address.

Pppery awarded a token.Sun, Oct 19, 10:38 PM
Nardog subscribed.Mon, Oct 20, 12:05 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits