SECURITY: Whitelist DTD declaration in SVG

Unpublished Commit · Learn More

Publishing Disabled: All publishing is disabled for this repository.
This commit no longer exists in the repository. It may have been part of a branch which was deleted.This commit has been deleted in the repository: it is no longer reachable from any branch, tag, or ref.


SECURITY: Whitelist DTD declaration in SVG

Only allow ENTITY declarations inside the doctype internal
subset. Do not allow parameter entities, recursive entity
references are entity values longer than 255 bytes, or
external entity references. Filter external doctype subset
to only allow the standard svg doctypes.

Recursive entities that are simple aliases are allowed
because people appear to use them on commons. Declaring
xmlns:xlink to have a #FIXED value to the xlink namespace
is allowed because GraphViz apparently does that so its
somewhat common.

This prevents someone bypassing filter by using default
attribute values in internal dtd subset. No browser loads
the external dtd subset that I could find, but whitelist
just to be safe anyways.

Issue reported by Cassiogomes11.

Bug: T151735
Change-Id: I7cb4690f759ad97e70e06e560978b6207d84c446
(cherry picked from commit bc31c5bd57e5f58c204113ef651d8fa172122c47)


BawolffAuthored on Nov 28 2016, 11:34 PM
UrbanrogueCommitted on Apr 7 2017, 6:52 PM

Commit No Longer Exists

This commit no longer exists in the repository.