Well, I can't think how to overcome this :D<br><br>If this is indeed an issue, I can only begin to think the catastrophe that this could cause in the earlier implementation (writing multiple files. per-activity-per-rendering-in-listview).<br>
<br><div class="gmail_quote">On Tue, Dec 11, 2012 at 2:09 AM, James Cameron <span dir="ltr"><<a href="mailto:quozl@laptop.org" target="_blank">quozl@laptop.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Tue, Dec 11, 2012 at 01:47:36AM +0530, Ajay Garg wrote:<br>
> In my current approach, a file in "icon_files" folder is not removed<br>
> ever, once it is written.<br>
<br>
</div>So I can attack a user (denial of service) by providing an .xo file<br>
with a very very large .svg file in it, and there is nothing the user<br>
can do ... in Sugar ... to escape from the situation.<br>
<br>
It is an added security vulnerability.<br>
<br>
So, Nak.<br>
<br>
As an example, <a href="http://dev.laptop.org/%7Equozl/denial-of-service.zip" target="_blank">http://dev.laptop.org/~quozl/denial-of-service.zip</a> is<br>
an old activity of mine with the .svg file replaced by 1 GB of zero<br>
bytes, which compresses nicely. When this file is renamed to .xo and<br>
downloaded with Sugar is to result in 1 MB of download data, and in 2<br>
GB of storage loss; 1 GB for the activity/*.svg files, and 1 GB for<br>
the /icon_files/<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
James Cameron<br>
<a href="http://quozl.linux.org.au/" target="_blank">http://quozl.linux.org.au/</a><br>
</div></div></blockquote></div><br><br clear="all"><br><font face="arial, sans-serif">Regards,<br><br>Ajay Garg</font><br style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><font face="arial, sans-serif">Dextrose Developer</font><br style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Activity Central: </span><a href="http://activitycentral.com/" style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)" target="_blank">http://activitycentral.com</a><br>