svg xml with weird non-utf8 content causes an ugly traceback
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snap Store Server |
Fix Released
|
Medium
|
Maximiliano Bertacchini |
Bug Description
how to reproduce:
- go to snapcraft.io, developer account, choose any snap...
- try to upload the specially-crafted evil svg, contains something like this (best to download the attachment, as the key is the funky xpacked non-utf8 data):
<?xml version="1.0" standalone="no"?>
<svg width="600" height="800">
<?xpacket begin="�"" id="W5M0MpCehiH
<rect width="600" height="800" style="
<circle cx="300" cy="400" r="300" style="
</svg>
Expected result:
- "Icon: The image file 'bogon.svg' is not valid (we can't open it)."
- No sentry tracebacks because we don't need to be spammed every time someone uploads a weird file
Actual result:
- "Icon: The image file 'bogon.svg' is not valid (we can't open it)." (OK, nice friendly user-facing error)
- A sentry traceback!!
https:/
IOError: Could not convert SVG file: Error reading SVG:Error domain 1 code 9 on line 1 column 1 of file://
Bytes: 0xFF 0x22 0x22 0x20
File "devportal/
data = make_icon_
File "devportal/
data = _make_simple_
File "devportal/
raise IOError(msg)
Worth checking if we really want to bubble this to a sentry error. The file is clearly malformed, which appears to be due to a bug in inkscape (although without access to the file that triggered this originally, we can't tell whether it was indeed created by inkscape).
Without access to rsvg-convert, it's likely the user wouldn't have way of verifying why inkscape can open the file but we can't.
Changed in snapstore: | |
status: | Triaged → In Progress |
assignee: | nobody → Maximiliano Bertacchini (maxiberta) |
Changed in snapstore: | |
status: | In Progress → Fix Committed |
Changed in snapstore: | |
status: | Fix Committed → Fix Released |
https:/ /bugs.launchpad .net/ubuntu/ +source/ inkscape/ +bug/499257