[Sugar-devel] [sugar-toolkit-gtk3 PATCH] sl#4276: Writing the icon-files for ".xo" files on a permanent mount-point, and not /tmp. mount-point.
Gonzalo Odiard
gonzalo at laptop.org
Mon Dec 10 21:44:52 EST 2012
...
So I can attack a user (denial of service) by providing an .xo file
> with a very very large .svg file in it, and there is nothing the user
> can do ... in Sugar ... to escape from the situation.
>
> It is an added security vulnerability.
>
> So, Nak.
>
> As an example, http://dev.laptop.org/~quozl/denial-of-service.zip is
> an old activity of mine with the .svg file replaced by 1 GB of zero
> bytes, which compresses nicely. When this file is renamed to .xo and
> downloaded with Sugar is to result in 1 MB of download data, and in 2
> GB of storage loss; 1 GB for the activity/*.svg files, and 1 GB for
> the /icon_files/
>
>
Right now, sugar is decompressing the icon anyway,
then, there are no too much change.
Gonzalo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20121210/c7d84b36/attachment.html>
More information about the Sugar-devel
mailing list