EEVblog > News/Suggestions/Help

Adding .svg to allowed attachment file types?

<< < (6/7) > >>

magic:
No, I would put MalwareScript in the SVG which, when opened as an individual "image" ;), downloads the account settings form from the forum, extracts CSRF cookies and submits the form filled with my email address. Then I reset your password.

Same Origin Policy shouldn't be a problem, I make requests to https://www.eevblog.com/ and thankfully attachments are also served from the same domain and over HTTPS :phew:

The last doubt I have is if XMLHttpRequest really permits downloading arbitrary URLs and submitting arbitrary POSTs, but it is my recollection that this is exactly what it does.

And none of it would show up on the thumbnail, of course, because MalwareScript is disabled in <img> mode :-+

Zero999:

--- Quote from: magic on February 23, 2022, 11:07:01 pm ---BTW, I have no idea about real world efficiency of SVG. I mean, it's uncompressed XML :o so it cannot be great, but it's not a dumb bitmap format OTOH.

That being said, GIF isn't too bad either. Here's a real world schematic with almost 100 components in 32KB GIF.
https://www.eevblog.com/forum/projects/opamps-die-pictures/?action=dlattach;attach=1190312;image

Produced from the ASC vector format ;)
The schematic is 16KB plus definitions of all the symbols (~500 bytes per symbol so maybe ~3KB total).

I guess SVG fanboys can upload something of comparable complexity to support their case :box:

--- End quote ---
Why use colour? I converted that file to a monochrome PNG and it's now only 12.4kB.

Monochrome PNGs are a similar size, or sometimes smaller than ASC.

8-bit colour PNGs are normally smaller than GIFs. I generally use monochrome PNGs for schematics and those which do require colour are 8-bit, or less, which keeps the file size as small as possible.

I do like SVG and this has been mentioned before, but the consensus was it's too much of a security risk.

Nominal Animal:

--- Quote from: magic on February 25, 2022, 09:56:52 am ---No, I would put MalwareScript in the SVG which, when opened as an individual "image" ;)
--- End quote ---
As a page, you mean, instead of in an <img element.  That would allow it to do stuff like XSS requests, yes.


--- Quote from: magic on February 25, 2022, 09:56:52 am ---submits the form filled with my email address.
--- End quote ---
You forgot that the Account Settings page requires the current password (at the bottom) for exactly this reason!

(At least my browser requires actual user interaction to auto-fill it if saved as a login in the browser.)


--- Quote from: magic on February 25, 2022, 09:56:52 am ---thankfully attachments are also served from the same domain and over HTTPS
--- End quote ---
You know, your and Ian.M's points have helped me realize a very important thing about online forums: they really should store all user attachments on a different domain.  Not just for cross-site request vulnerabilities, but also because of server-side security considerations and resource use, things like how much CPU time may a single request consume before it is killed, when e.g. generating thumbnails.  To me, this is very important, a new aspect of discussion forum security that I had not realized before.  Thank you.

The obvious domain choice is to use dedicated subdomains, like forum.domain, attachments.domain, and auth.domain.  The last one could be a solution to the problem I have with web hosting services –– they can provide only a single Unix account and group per site ––, essentially treating the problem of access to authentication information across the entire site, as a single-sign-on problem instead.  That is, only auth.domain would ever have write access to the user account details, or any access to the privileged user information.  (A fourth one, admin.domain, would help separate privileged administrative/moderation actions from normal operations in a similar way.) This would not only help with the server side scripting reliability – a script that does not have access to sensitive information cannot leak that sensitive information –, but also protect against cross-site attacks among subdomains.

If you have your own virtual server running Apache or Nginx, the configuration to support all on the same machine in different trees (and different Unix user accounts, to stop server-side script bugs exploiting direct filesystem access) is very simple; you can even make a group hierarchy that allows a "human" user to manage them all without sudo.  You only need a single certificate, for *.domain, too.

magic:

--- Quote from: Nominal Animal on February 25, 2022, 10:58:45 am ---You forgot that the Account Settings page requires the current password (at the bottom) for exactly this reason!

--- End quote ---
Damn, I missed it. But not all is lost :-+

Since SVG can contain embedded HTML, we can put the whole SMF login page into it (again, not rendered in thumbnails) telling the sucker to log in again because some internal server error has occurred and session cookies have been lost or whatever >:D

And of course, there are useful actions that don't require password. Like, everybody viewing my pics ends up thanking every one of my posts and PMing Dave to make me the official Designated SVG Expert of the forum :D


--- Quote from: Zero999 on February 25, 2022, 10:54:09 am ---Monochrome PNGs are a similar size, or sometimes smaller than ASC.

8-bit colour PNGs are normally smaller than GIFs. I generally use monochrome PNGs for schematics and those which do require colour are 8-bit, or less, which keeps the file size as small as possible.

--- End quote ---
Interesting, I used GIF because I assumed that PNGs are 24 bit only. They always turned out larger for me. Will have to investigate.

duckduck:
EEVBlog forum:
--- Quote ---The only allowed extensions are doc,gif,jpg,jpeg,pdf,png,txt,zip,tar,c,h,hex,bas,xls,odt,asm,wav,aiff,wma,mp3,flac,asc,ods,xlsx,py,7z.
--- End quote ---

OK, so what about adding .webp?

From https://en.wikipedia.org/wiki/WebP :


--- Quote ---On 18 November 2011, Google announced a new lossless compression mode, and support for transparency (alpha channel) in both lossless and lossy modes; support was enabled by default in libwebp 0.2.0 (16 August 2012).[14][15] According to Google's measurements in November 2011, a conversion from PNG to WebP resulted in a 45% reduction in file size when starting with PNGs found on the web, and a 28% reduction compared to PNGs that are recompressed with pngcrush and PNGOUT.[16]

In July 2016, Apple added WebP support to early beta versions of macOS Sierra and iOS 10,[17] but support was later removed in the GM seed versions of iOS 10 and macOS Sierra released in September 2016. In September 2020, WebP support was added in Safari version 14.[18]

The supporting libwebp library reached version 1.0 in April 2018.[19]

As of November 2021, web browsers that support WebP had 96% market share.[20]
--- End quote ---

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod