[Sugar-devel] [sugar-toolkit-gtk3 PATCH] sl#4276: Writing the icon-files for ".xo" files on a permanent mount-point, and not /tmp. mount-point.

Ajay Garg ajay at activitycentral.com
Mon Dec 10 15:52:07 EST 2012


Well, I can't think how to overcome this :D

If this is indeed an  issue, I can only begin to think the catastrophe that
this could cause in the earlier implementation (writing multiple files.
per-activity-per-rendering-in-listview).

On Tue, Dec 11, 2012 at 2:09 AM, James Cameron <quozl at laptop.org> wrote:

> On Tue, Dec 11, 2012 at 01:47:36AM +0530, Ajay Garg wrote:
> > In my current approach, a file in "icon_files" folder is not removed
> > ever, once it is written.
>
> So I can attack a user (denial of service) by providing an .xo file
> with a very very large .svg file in it, and there is nothing the user
> can do ... in Sugar ... to escape from the situation.
>
> It is an added security vulnerability.
>
> So, Nak.
>
> As an example, http://dev.laptop.org/~quozl/denial-of-service.zip is
> an old activity of mine with the .svg file replaced by 1 GB of zero
> bytes, which compresses nicely.  When this file is renamed to .xo and
> downloaded with Sugar is to result in 1 MB of download data, and in 2
> GB of storage loss; 1 GB for the activity/*.svg files, and 1 GB for
> the /icon_files/
>
> --
> James Cameron
> http://quozl.linux.org.au/
>



Regards,

Ajay Garg
Dextrose Developer
Activity Central: http://activitycentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20121211/417f402a/attachment-0001.html>


More information about the Sugar-devel mailing list