CairoSVG icon indicating copy to clipboard operation
CairoSVG copied to clipboard
verified publisher icon Kozea

Cairosvg susceptible to billion laughs type attack

Open psychon opened this issue 4 years ago • 1 comments

Hi,

I'm forwarding https://gitlab.freedesktop.org/cairo/cairo/-/issues/383 here:

When I try to open a malicious SVG that is created using nested references it hangs the application. The sample test case is at https://unshorn.github.io/foo.svg Note that this url cannot be opened on the browser as it will also hang. There are two sample inputs: https://unshorn.github.io/nested-pattern-crash.svg https://unshorn.github.io/deep.svg

psychon avatar Jan 17 '21 07:01 psychon

Hi!

Thanks a lot for forwarding the original issue.

These samples aren’t "real" billion laughs attacks, as they don’t rely on entities. CairoSVG uses defusedxml and doesn’t allow entities by default.

But of course, these samples use other kinds of SVG references. There are so many possible variations that I’m not sure that we can do anything to fix that. If all browsers are vulnerable (looks like they do), then I suppose that it’s commonly accepted.

liZe avatar Jan 17 '21 17:01 liZe