Wonder if this could be related to the fix we made for deleting old thumbnails.

It looks to be related using an entity reference in an xmlns attribute. Our svg reader that determines the size of an svg doesn't expand the entity, so it doesn't recognize the starting svg tag as being in the right namespace (from debug log: SvgHandler::getMetadata: Expected <svg> tag, got svg in NS &ns_svg; )

This is possibly an upstream issue with whichever xml library we use to read svgs.

However, didn't we use to assume the image was 200x200 if we couldn't find a width/height, or something like that(?)

Rendering problems with same example file in bug 31720 are probably related to this.

Actually, to fix this, you set

XMLReader::setParserProperty(XMLReader::SUBST_ENTITIES, true)

Problem is however that this opens you up to entity expansion xmlbombs. I'm not sure if XmlReader sets safe limits to prevent this, an where or how those limits are set.

Alternatively, i think we could just whitelist this case. Patch attached.

Created attachment 9602
Whitelist the Adobe svg namespace entity as being equal to the actual SVG namespace.

Attached:

I applied that in r107359. I'm not sure if its the "best" fix (hence i'm leaving the bug open), but its certainly an improvement over current situation.

(In reply to comment #4)

Actually, to fix this, you set

XMLReader::setParserProperty(XMLReader::SUBST_ENTITIES, true)

Problem is however that this opens you up to entity expansion xmlbombs. I'm not
sure if XmlReader sets safe limits to prevent this, an where or how those
limits are set.

We can use XMLReader::SUBST_ENTITIES, libxml2 does limit it. Recursive entity declarations generate an error "Detected an entity reference loop", and there are some heuristics in xmlParserEntityCheck() that look like they are intended to protect against some more obscure cases.

Committed in r107793.