Well, I can't think how to overcome this :D If this is indeed an issue, I can only begin to think the catastrophe that this could cause in the earlier implementation (writing multiple files. per-activity-per-rendering-in-listview). <div class="gmail_quote">On Tue, Dec 11, 2012 at 2:09 AM, James Cameron <<a href="mailto:quozl@laptop.org" target="_blank">quozl@laptop.org</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="im">On Tue, Dec 11, 2012 at 01:47:36AM +0530, Ajay Garg wrote: > In my current approach, a file in "icon_files" folder is not removed > ever, once it is written. </div>So I can attack a user (denial of service) by providing an .xo file with a very very large .svg file in it, and there is nothing the user can do ... in Sugar ... to escape from the situation. It is an added security vulnerability. So, Nak. As an example, <a href="http://dev.laptop.org/%7Equozl/denial-of-service.zip" target="_blank">http://dev.laptop.org/~quozl/denial-of-service.zip</a> is an old activity of mine with the .svg file replaced by 1 GB of zero bytes, which compresses nicely. When this file is renamed to .xo and downloaded with Sugar is to result in 1 MB of download data, and in 2 GB of storage loss; 1 GB for the activity/*.svg files, and 1 GB for the /icon_files/ <div class="HOEnZb"><div class="h5"> -- James Cameron <a href="http://quozl.linux.org.au/" target="_blank">http://quozl.linux.org.au/</a> </div></div></blockquote></div> Regards, Ajay Garg Dextrose Developer Activity Central: <a href="http://activitycentral.com/" style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)" target="_blank">http://activitycentral.com</a>