Author: saibotrash
Description:
http://commons.wikimedia.org/wiki/File:Toll_Texas_1.svg I saw four thumbs in the history - the 1 2 7 and 9th version. If I revert to the 8th version they all vanish.
Version: 1.18.x
Severity: normal
• bzimport | |
Oct 15 2011, 2:18 AM |
F8024: svg_entity.patch | |
Nov 21 2014, 11:48 PM |
Author: saibotrash
Description:
http://commons.wikimedia.org/wiki/File:Toll_Texas_1.svg I saw four thumbs in the history - the 1 2 7 and 9th version. If I revert to the 8th version they all vanish.
Version: 1.18.x
Severity: normal
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | None | T33720 svg doesn't render as current version - but it does if it is just a archive version | |||
Resolved | None | T33719 SVG metadata reader has troubles when the xmlns is set to an entity reference |
It looks to be related using an entity reference in an xmlns attribute. Our svg reader that determines the size of an svg doesn't expand the entity, so it doesn't recognize the starting svg tag as being in the right namespace (from debug log: SvgHandler::getMetadata: Expected <svg> tag, got svg in NS &ns_svg; )
This is possibly an upstream issue with whichever xml library we use to read svgs.
However, didn't we use to assume the image was 200x200 if we couldn't find a width/height, or something like that(?)
Actually, to fix this, you set
XMLReader::setParserProperty(XMLReader::SUBST_ENTITIES, true)
Problem is however that this opens you up to entity expansion xmlbombs. I'm not sure if XmlReader sets safe limits to prevent this, an where or how those limits are set.
Alternatively, i think we could just whitelist this case. Patch attached.
Created attachment 9602
Whitelist the Adobe svg namespace entity as being equal to the actual SVG namespace.
Attached:
I applied that in r107359. I'm not sure if its the "best" fix (hence i'm leaving the bug open), but its certainly an improvement over current situation.
(In reply to comment #4)
Actually, to fix this, you set
XMLReader::setParserProperty(XMLReader::SUBST_ENTITIES, true)
Problem is however that this opens you up to entity expansion xmlbombs. I'm not
sure if XmlReader sets safe limits to prevent this, an where or how those
limits are set.
We can use XMLReader::SUBST_ENTITIES, libxml2 does limit it. Recursive entity declarations generate an error "Detected an entity reference loop", and there are some heuristics in xmlParserEntityCheck() that look like they are intended to protect against some more obscure cases.
Committed in r107793.