Author Topic: Adding .svg to allowed attachment file types?  (Read 6519 times)

0 Members and 1 Guest are viewing this topic.

Online magic

  • Super Contributor
  • ***
  • Posts: 7210
  • Country: pl
Re: Adding .svg to allowed attachment file types?
« Reply #25 on: February 25, 2022, 09:56:52 am »
No, I would put MalwareScript in the SVG which, when opened as an individual "image" ;), downloads the account settings form from the forum, extracts CSRF cookies and submits the form filled with my email address. Then I reset your password.

Same Origin Policy shouldn't be a problem, I make requests to https://www.eevblog.com/ and thankfully attachments are also served from the same domain and over HTTPS :phew:

The last doubt I have is if XMLHttpRequest really permits downloading arbitrary URLs and submitting arbitrary POSTs, but it is my recollection that this is exactly what it does.

And none of it would show up on the thumbnail, of course, because MalwareScript is disabled in <img> mode :-+
« Last Edit: February 25, 2022, 10:03:22 am by magic »
 
The following users thanked this post: Ian.M

Online Zero999

  • Super Contributor
  • ***
  • Posts: 19933
  • Country: gb
  • 0999
Re: Adding .svg to allowed attachment file types?
« Reply #26 on: February 25, 2022, 10:54:09 am »
BTW, I have no idea about real world efficiency of SVG. I mean, it's uncompressed XML :o so it cannot be great, but it's not a dumb bitmap format OTOH.

That being said, GIF isn't too bad either. Here's a real world schematic with almost 100 components in 32KB GIF.
https://www.eevblog.com/forum/projects/opamps-die-pictures/?action=dlattach;attach=1190312;image

Produced from the ASC vector format ;)
The schematic is 16KB plus definitions of all the symbols (~500 bytes per symbol so maybe ~3KB total).

I guess SVG fanboys can upload something of comparable complexity to support their case :box:
Why use colour? I converted that file to a monochrome PNG and it's now only 12.4kB.

Monochrome PNGs are a similar size, or sometimes smaller than ASC.

8-bit colour PNGs are normally smaller than GIFs. I generally use monochrome PNGs for schematics and those which do require colour are 8-bit, or less, which keeps the file size as small as possible.

I do like SVG and this has been mentioned before, but the consensus was it's too much of a security risk.
 
The following users thanked this post: magic

Offline Nominal AnimalTopic starter

  • Super Contributor
  • ***
  • Posts: 6865
  • Country: fi
    • My home page and email address
Re: Adding .svg to allowed attachment file types?
« Reply #27 on: February 25, 2022, 10:58:45 am »
No, I would put MalwareScript in the SVG which, when opened as an individual "image" ;)
As a page, you mean, instead of in an <img element.  That would allow it to do stuff like XSS requests, yes.

submits the form filled with my email address.
You forgot that the Account Settings page requires the current password (at the bottom) for exactly this reason!

(At least my browser requires actual user interaction to auto-fill it if saved as a login in the browser.)

thankfully attachments are also served from the same domain and over HTTPS
You know, your and Ian.M's points have helped me realize a very important thing about online forums: they really should store all user attachments on a different domain.  Not just for cross-site request vulnerabilities, but also because of server-side security considerations and resource use, things like how much CPU time may a single request consume before it is killed, when e.g. generating thumbnails.  To me, this is very important, a new aspect of discussion forum security that I had not realized before.  Thank you.

The obvious domain choice is to use dedicated subdomains, like forum.domain, attachments.domain, and auth.domain.  The last one could be a solution to the problem I have with web hosting services –– they can provide only a single Unix account and group per site ––, essentially treating the problem of access to authentication information across the entire site, as a single-sign-on problem instead.  That is, only auth.domain would ever have write access to the user account details, or any access to the privileged user information.  (A fourth one, admin.domain, would help separate privileged administrative/moderation actions from normal operations in a similar way.) This would not only help with the server side scripting reliability – a script that does not have access to sensitive information cannot leak that sensitive information –, but also protect against cross-site attacks among subdomains.

If you have your own virtual server running Apache or Nginx, the configuration to support all on the same machine in different trees (and different Unix user accounts, to stop server-side script bugs exploiting direct filesystem access) is very simple; you can even make a group hierarchy that allows a "human" user to manage them all without sudo.  You only need a single certificate, for *.domain, too.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 7210
  • Country: pl
Re: Adding .svg to allowed attachment file types?
« Reply #28 on: February 25, 2022, 11:58:18 am »
You forgot that the Account Settings page requires the current password (at the bottom) for exactly this reason!
Damn, I missed it. But not all is lost :-+

Since SVG can contain embedded HTML, we can put the whole SMF login page into it (again, not rendered in thumbnails) telling the sucker to log in again because some internal server error has occurred and session cookies have been lost or whatever >:D

And of course, there are useful actions that don't require password. Like, everybody viewing my pics ends up thanking every one of my posts and PMing Dave to make me the official Designated SVG Expert of the forum :D

Monochrome PNGs are a similar size, or sometimes smaller than ASC.

8-bit colour PNGs are normally smaller than GIFs. I generally use monochrome PNGs for schematics and those which do require colour are 8-bit, or less, which keeps the file size as small as possible.
Interesting, I used GIF because I assumed that PNGs are 24 bit only. They always turned out larger for me. Will have to investigate.
« Last Edit: February 25, 2022, 12:00:59 pm by magic »
 

Offline duckduck

  • Frequent Contributor
  • **
  • Posts: 418
  • Country: us
  • 20Hz < fun < 20kHz, and RF is Really Fun
Re: Adding .svg to allowed attachment file types?
« Reply #29 on: August 03, 2022, 06:39:38 pm »
EEVBlog forum:
Quote
The only allowed extensions are doc,gif,jpg,jpeg,pdf,png,txt,zip,tar,c,h,hex,bas,xls,odt,asm,wav,aiff,wma,mp3,flac,asc,ods,xlsx,py,7z.

OK, so what about adding .webp?

From https://en.wikipedia.org/wiki/WebP :

Quote
On 18 November 2011, Google announced a new lossless compression mode, and support for transparency (alpha channel) in both lossless and lossy modes; support was enabled by default in libwebp 0.2.0 (16 August 2012).[14][15] According to Google's measurements in November 2011, a conversion from PNG to WebP resulted in a 45% reduction in file size when starting with PNGs found on the web, and a 28% reduction compared to PNGs that are recompressed with pngcrush and PNGOUT.[16]

In July 2016, Apple added WebP support to early beta versions of macOS Sierra and iOS 10,[17] but support was later removed in the GM seed versions of iOS 10 and macOS Sierra released in September 2016. In September 2020, WebP support was added in Safari version 14.[18]

The supporting libwebp library reached version 1.0 in April 2018.[19]

As of November 2021, web browsers that support WebP had 96% market share.[20]
 

Online Zero999

  • Super Contributor
  • ***
  • Posts: 19933
  • Country: gb
  • 0999
Re: Adding .svg to allowed attachment file types?
« Reply #30 on: August 03, 2022, 09:53:12 pm »
Monochrome PNGs are a similar size, or sometimes smaller than ASC.

8-bit colour PNGs are normally smaller than GIFs. I generally use monochrome PNGs for schematics and those which do require colour are 8-bit, or less, which keeps the file size as small as possible.
Interesting, I used GIF because I assumed that PNGs are 24 bit only. They always turned out larger for me. Will have to investigate.
Some software always saves as 24-bit PNG, which often makes the file larger than GIF. It's possible to get MS Paint to save as 1-bit PNG. Convert the image to monochrome by clicking on properties, note there's a bug which causes anything which isn't white to be changed to black, then save as .png. It's possible work around the, everything which isn't white will be black bug, by saving as monochrome .bmp first, then .png.

Proper imaging processing software such as Gimp is obviously the best way to go, as you chan save as 4-bit and 8-bit, as well as 1-bit and 24-bit.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf