[html5] r2096 - [] (0) Make it impossible for an SVG file not labelled as SVG to be sniffed as a [...]

whatwg at whatwg.org whatwg at whatwg.org
Thu Aug 21 03:06:14 PDT 2008


Author: ianh
Date: 2008-08-21 03:06:12 -0700 (Thu, 21 Aug 2008)
New Revision: 2096

Modified:
   index
   source
Log:
[] (0) Make it impossible for an SVG file not labelled as SVG to be sniffed as a valid image in <img> (that would allow privilege escalation), but do allow a correctly-labelled SVG to be processed as such.

Modified: index
===================================================================
--- index	2008-08-21 09:54:39 UTC (rev 2095)
+++ index	2008-08-21 10:06:12 UTC (rev 2096)
@@ -5736,9 +5736,6 @@
      either "text/xml" or "application/xml", then the sniffed type of the
      resource is <var title="">official type</var>; return that and abort
      these steps.
-   </li>
-   <!-- we don't want
-   image/svg+xml going through the next step -->
 
    <li>
     <p>If <var title="">official type</var> is an image type supported by the
@@ -6199,11 +6196,15 @@
   <h4 id=content-type3><span class=secno>2.7.5 </span><dfn
    id=content-type8>Content-Type sniffing: image</dfn></h4>
 
-  <p>If the first bytes of the resource match one of the byte sequences in
-   the first column of the following table, then the sniffed type of the
-   resource is the type given in the corresponding cell in the second column
-   on the same row:
+  <p>If the resource's <var title="">official type</var> is "image/svg+xml",
+   then the sniffed type of the resource is its <var title="">official
+   type</var> (an XML type).
 
+  <p>Otherwise, if the first bytes of the resource match one of the byte
+   sequences in the first column of the following table, then the sniffed
+   type of the resource is the type given in the corresponding cell in the
+   second column on the same row:
+
   <table>
    <thead>
     <tr>
@@ -16077,7 +16078,10 @@
    title="Content-Type sniffing: image">image sniffing rules</a> to determine
    the type of the image, with the image's <a href="#content-type5"
    title=Content-Type>associated Content-Type headers</a> giving the <var
-   title="">official type</var>.
+   title="">official type</var>. If these rules are not applied, then the
+   type of the image must be the type given by the image's <a
+   href="#content-type5" title=Content-Type>associated Content-Type
+   headers</a>.
 
   <p>User agents must not support non-image resources with the <code><a
    href="#img">img</a></code> element (e.g. XML files whose root element is

Modified: source
===================================================================
--- source	2008-08-21 09:54:39 UTC (rev 2095)
+++ source	2008-08-21 10:06:12 UTC (rev 2096)
@@ -3697,8 +3697,7 @@
    <li><p>If <var title="">official type</var> ends in "+xml", or if
    it is either "text/xml" or "application/xml", then the sniffed
    type of the resource is <var title="">official type</var>; return
-   that and abort these steps.</p></li> <!-- we don't want
-   image/svg+xml going through the next step -->
+   that and abort these steps.</p></li>
 
    <li><p>If <var title="">official type</var> is an image type
    supported by the user agent (e.g. "image/png", "image/gif",
@@ -4081,8 +4080,12 @@
 
   <h4><dfn>Content-Type sniffing: image</dfn></h4>
 
-  <p>If the first bytes of the resource match one of the byte
-  sequences in the first column of the following table, then the
+  <p>If the resource's <var title="">official type</var> is
+  "image/svg+xml", then the sniffed type of the resource is its <var
+  title="">official type</var> (an XML type).</p>
+
+  <p>Otherwise, if the first bytes of the resource match one of the
+  byte sequences in the first column of the following table, then the
   sniffed type of the resource is the type given in the corresponding
   cell in the second column on the same row:</p>
 
@@ -13560,7 +13563,9 @@
   sniffing: image">image sniffing rules</span> to determine the type
   of the image, with the image's <span title="Content-Type">associated
   Content-Type headers</span> giving the <var title="">official
-  type</var>.</p>
+  type</var>. If these rules are not applied, then the type of the
+  image must be the type given by the image's <span
+  title="Content-Type">associated Content-Type headers</span>.</p>
 
   <p>User agents must not support non-image resources with the
   <code>img</code> element (e.g. XML files whose root element is an




More information about the Commit-Watchers mailing list