From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Evgeny Zajcev Newsgroups: gmane.emacs.devel Subject: Re: Loading svg from memory using custom filename for base_uri Date: Thu, 3 Dec 2020 20:50:15 +0300 Message-ID: References: <9684BD96-2E4E-45E1-92CC-69306A7C3205@gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="000000000000c26eae05b592feb0" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36692"; mail-complaints-to="usenet@ciao.gmane.io" To: Alan Third , Evgeny Zajcev , Eli Zaretskii , emacs-devel Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Dec 03 18:51:12 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kksl6-0009Qx-F0 for ged-emacs-devel@m.gmane-mx.org; Thu, 03 Dec 2020 18:51:12 +0100 Original-Received: from localhost ([::1]:46510 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kksl5-00017C-HU for ged-emacs-devel@m.gmane-mx.org; Thu, 03 Dec 2020 12:51:11 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:33880) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kkskS-0000bq-9l for emacs-devel@gnu.org; Thu, 03 Dec 2020 12:50:32 -0500 Original-Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133]:44580) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kkskQ-0004P9-5y; Thu, 03 Dec 2020 12:50:32 -0500 Original-Received: by mail-lf1-x133.google.com with SMTP id d20so3951284lfe.11; Thu, 03 Dec 2020 09:50:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=zdytw1YZhTSBfuRk2MB5+6C5prX96mIYLd1M2Hs9tNc=; b=rrspqiI6Hw/Jco59fb1tl6KCitc5S6LXSyNPnAsrxMEGwWQYb4aKhsdH6rDZ1UaKZj GcN/dG0vXGU7Zceqzdd+GxqaAH40BKXf4h4gIPanEbNe5W4Nfqy/j1+YHbuWqhrWanum 4krPIzor/B9Ton67SDxsQD9acNPlmmFYIRnXxyMWiGB+PaWgRGf4hbCszeEgbuoDWeD5 nLKkGMazoQAB4LBlM7KnAvk9H71x/fCT/UnBacol7aZrDnW6+DlCOcauqYZcFtn8l6Jq 43uviYuYR7oPAGeANjCHZb2ND16s3auQAhMo/6cO3gyF5uHPUBpHd5/iDd64lzfN+ViB xfXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=zdytw1YZhTSBfuRk2MB5+6C5prX96mIYLd1M2Hs9tNc=; b=Ipjfj2xciUPk0Ynk/pA0qaepQJCqTMichtJQYBkkLi+Tj7BKVHfK19uc4mcOQ/9Fci yZAsTRHLlzb/nTfVa+rEBisCQlfcAYI+yPRuLboXK5cZ04lviLn22dNmLIrw/RQ57nG1 fWTiYmiwTrOdBlt2dxa4ceGTSbb2OK4sg7CkEd//1kmxY9nD9GxsXeEKtpwFobouLQ1I 49/1yW2nMAqgutnrRAetQXRYiAr0LuGlusd8s/CnsS4cKZEOofNpjI/SLtAuyJBvGdxV CQ9g1zFg5R622l27ux7qIWtCD/vhvCzzjAwmiHrxpeb8QGYrX+uq9FROzk47DAvAZlF/ rARQ== X-Gm-Message-State: AOAM530J9+IBZz8vIo68cTC7SQaP7NXM/N3cccCZS/aiYxnrXgXW2OUr 6BszM0/jBl/Ow3RdXlWmLutfhyLt2NfvWnIfCqI= X-Google-Smtp-Source: ABdhPJzZH55qwnbvPNImFSWNjepd4lmuj/JaqlOLElwLcoTRsue72peBvbobr8TqvVNVZIl4vCwYic08HWULknKeS4I= X-Received: by 2002:a19:8883:: with SMTP id k125mr1716536lfd.10.1607017827551; Thu, 03 Dec 2020 09:50:27 -0800 (PST) In-Reply-To: Received-SPF: pass client-ip=2a00:1450:4864:20::133; envelope-from=lg.zevlg@gmail.com; helo=mail-lf1-x133.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:260234 Archived-At: --000000000000c26eae05b592feb0 Content-Type: multipart/alternative; boundary="000000000000c26eaa05b592feae" --000000000000c26eaa05b592feae Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =D1=87=D1=82, 3 =D0=B4=D0=B5=D0=BA. 2020 =D0=B3. =D0=B2 19:54, Evgeny Zajce= v : > > > =D1=87=D1=82, 3 =D0=B4=D0=B5=D0=BA. 2020 =D0=B3. =D0=B2 19:30, Alan Third= : > >> On Thu, Dec 03, 2020 at 07:25:10PM +0300, lg.zevlg@gmail.com wrote: >> > >> > > 3 =D0=B4=D0=B5=D0=BA. 2020 =D0=B3., =D0=B2 19:17, Alan Third =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB(=D0=B0): >> > > >> > > =EF=BB=BFOn Thu, Dec 03, 2020 at 06:47:37PM +0300, Evgeny Zajcev wro= te: >> > >> diff --git a/src/xdisp.c b/src/xdisp.c >> > >> index 76ef420a36..51735b269d 100644 >> > >> --- a/src/xdisp.c >> > >> +++ b/src/xdisp.c >> > >> @@ -34631,6 +34631,7 @@ syms_of_xdisp (void) >> > >> DEFSYM (QCeval, ":eval"); >> > >> DEFSYM (QCpropertize, ":propertize"); >> > >> DEFSYM (QCfile, ":file"); >> > >> + DEFSYM (QCbase_uri, ":base-uri"); >> > >> DEFSYM (Qfontified, "fontified"); >> > >> DEFSYM (Qfontification_functions, "fontification-functions"); >> > > >> > > Hi Evgeny, is there any reason this couldn't go in image.c? I think = we >> > > only need it when librsvg is compiled in too. >> > >> > You are right, this is svg only thing, I=E2=80=99ll fix >> >> I'm also wondering whether this is something that would be useful when >> loading from a file and not just data? It might be considered a >> security risk, I suppose? >> > > No risk, because `:base-uri` is part of image properties and not svg > data. And if one specified explicitly `:base-uri` then he knows what he = is > doing and understands that loading an svg image could access files inside > `:base-uri`. > > Having control over svg base_uri is a nice thing to have for both data an= d > file image specifiers. > > I'll update the patch > Here is updated patch, with support for `:base-uri` for :file image spec as well --=20 lg --000000000000c26eaa05b592feae Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

=D1=87=D1=82, 3 =D0=B4=D0=B5=D0= =BA. 2020 =D0=B3. =D0=B2 19:54, Evgeny Zajcev <lg.zevlg@gmail.com>:


=D1=87=D1=82, 3 =D0=B4=D0=B5=D0=BA. 2020 =D0=B3. =D0=B2 19:30, Ala= n Third <alan@idioc= y.org>:
O= n Thu, Dec 03, 2020 at 07:25:10PM +0300, lg.zevlg@gmail.com wrote:
>
> > 3 =D0=B4=D0=B5=D0=BA. 2020 =D0=B3., =D0=B2 19:17, Alan Third <= alan@idiocy.org>= ; =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB(=D0=B0):
> >
> > =EF=BB=BFOn Thu, Dec 03, 2020 at 06:47:37PM +0300, Evgeny Zajcev = wrote:
> >> diff --git a/src/xdisp.c b/src/xdisp.c
> >> index 76ef420a36..51735b269d 100644
> >> --- a/src/xdisp.c
> >> +++ b/src/xdisp.c
> >> @@ -34631,6 +34631,7 @@ syms_of_xdisp (void)
> >>=C2=A0 =C2=A0DEFSYM (QCeval, ":eval");
> >>=C2=A0 =C2=A0DEFSYM (QCpropertize, ":propertize"); > >>=C2=A0 =C2=A0DEFSYM (QCfile, ":file");
> >> +=C2=A0 DEFSYM (QCbase_uri, ":base-uri");
> >>=C2=A0 =C2=A0DEFSYM (Qfontified, "fontified");
> >>=C2=A0 =C2=A0DEFSYM (Qfontification_functions, "fontifica= tion-functions");
> >
> > Hi Evgeny, is there any reason this couldn't go in image.c? I= think we
> > only need it when librsvg is compiled in too.
>
> You are right, this is svg only thing, I=E2=80=99ll fix

I'm also wondering whether this is something that would be useful when<= br> loading from a file and not just data? It might be considered a
security risk, I suppose?

No risk, beca= use `:base-uri` is part of image properties and not svg data.=C2=A0 And if = one specified explicitly `:base-uri` then he knows what he is doing and und= erstands that loading an svg image could access files inside `:base-uri`.

Having control over svg base_uri is a nice th= ing to have for both data and file image specifiers.

I'll update the patch

He= re is updated patch, with support for `:base-uri` for :file image spec as w= ell


--
lg
--000000000000c26eaa05b592feae-- --000000000000c26eae05b592feb0 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Explicitly-specify-svg-base_uri-using-base-uri-image.patch" Content-Disposition: attachment; filename="0001-Explicitly-specify-svg-base_uri-using-base-uri-image.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_ki94wncl0 RnJvbSBmMmJlNjZhNmIzNzA0OWVmYzQ0MTMzYmNlNGQ4OTVhODhkMjI2ZDNkIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBaYWpjZXYgRXZnZW55IDx6ZXZsZ0B5YW5kZXgucnU+CkRhdGU6 IFRodSwgMyBEZWMgMjAyMCAxODozNzoxOCArMDMwMApTdWJqZWN0OiBbUEFUQ0hdIEV4cGxpY2l0 bHkgc3BlY2lmeSBzdmcgYmFzZV91cmkgdXNpbmcgYDpiYXNlLXVyaScgaW1hZ2UKIHByb3BlcnR5 CgoqIHNyYy9pbWFnZS5jIChzdmdfbG9hZCk6IENoZWNrIGA6YmFzZS11cmknIGltYWdlIHByb3Bl cnR5IHRvCiAgZXhwbGljaXRseSBzZXQgYmFzZV91cmkgZm9yIGltYWdlcyBlbWJlZGRlZCBpbnRv IFNWRwotLS0KIHNyYy9pbWFnZS5jIHwgMTkgKysrKysrKysrKysrLS0tLS0tLQogMSBmaWxlIGNo YW5nZWQsIDEyIGluc2VydGlvbnMoKyksIDcgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvc3Jj L2ltYWdlLmMgYi9zcmMvaW1hZ2UuYwppbmRleCA1ZWI0MTMyMjk1Li4yYWJlYWQ0NmVkIDEwMDY0 NAotLS0gYS9zcmMvaW1hZ2UuYworKysgYi9zcmMvaW1hZ2UuYwpAQCAtOTY5OCwxMCArOTY5OCwx MSBAQCBpbml0X3N2Z19mdW5jdGlvbnMgKHZvaWQpCiBzdmdfbG9hZCAoc3RydWN0IGZyYW1lICpm LCBzdHJ1Y3QgaW1hZ2UgKmltZykKIHsKICAgYm9vbCBzdWNjZXNzX3AgPSAwOwotICBMaXNwX09i amVjdCBmaWxlX25hbWU7CisgIExpc3BfT2JqZWN0IGZpbGVfbmFtZSwgYmFzZV91cmk7CiAKICAg LyogSWYgSU1HLT5zcGVjIHNwZWNpZmllcyBhIGZpbGUgbmFtZSwgY3JlYXRlIGEgbm9uLWZpbGUg c3BlYyBmcm9tIGl0LiAgKi8KICAgZmlsZV9uYW1lID0gaW1hZ2Vfc3BlY192YWx1ZSAoaW1nLT5z cGVjLCBRQ2ZpbGUsIE5VTEwpOworICBiYXNlX3VyaSA9IGltYWdlX3NwZWNfdmFsdWUgKGltZy0+ c3BlYywgUUNiYXNlX3VyaSwgTlVMTCk7CiAgIGlmIChTVFJJTkdQIChmaWxlX25hbWUpKQogICAg IHsKICAgICAgIGludCBmZDsKQEAgLTk3MjEsMTUgKzk3MjIsMTYgQEAgc3ZnX2xvYWQgKHN0cnVj dCBmcmFtZSAqZiwgc3RydWN0IGltYWdlICppbWcpCiAJICByZXR1cm4gMDsKIAl9CiAgICAgICAv KiBJZiB0aGUgZmlsZSB3YXMgc2x1cnBlZCBpbnRvIG1lbW9yeSBwcm9wZXJseSwgcGFyc2UgaXQu ICAqLwotICAgICAgc3VjY2Vzc19wID0gc3ZnX2xvYWRfaW1hZ2UgKGYsIGltZywgY29udGVudHMs IHNpemUsCi0JCQkJICBTU0RBVEEgKEVOQ09ERV9GSUxFIChmaWxlKSkpOworICAgICAgaWYgKCFT VFJJTkdQIChiYXNlX3VyaSkpCisgICAgICAgIGJhc2VfdXJpID0gRU5DT0RFX0ZJTEUgKGZpbGUp OworICAgICAgc3VjY2Vzc19wID0gc3ZnX2xvYWRfaW1hZ2UgKGYsIGltZywgY29udGVudHMsIHNp emUsIFNTREFUQSAoYmFzZV91cmkpKTsKICAgICAgIHhmcmVlIChjb250ZW50cyk7CiAgICAgfQog ICAvKiBFbHNlIGl0J3Mgbm90IGEgZmlsZSwgaXQncyBhIExpc3Agb2JqZWN0LiAgTG9hZCB0aGUg aW1hZ2UgZnJvbSBhCiAgICAgIExpc3Agb2JqZWN0IHJhdGhlciB0aGFuIGEgZmlsZS4gICovCiAg IGVsc2UKICAgICB7Ci0gICAgICBMaXNwX09iamVjdCBkYXRhLCBvcmlnaW5hbF9maWxlbmFtZTsK KyAgICAgIExpc3BfT2JqZWN0IGRhdGE7CiAKICAgICAgIGRhdGEgPSBpbWFnZV9zcGVjX3ZhbHVl IChpbWctPnNwZWMsIFFDZGF0YSwgTlVMTCk7CiAgICAgICBpZiAoIVNUUklOR1AgKGRhdGEpKQpA QCAtOTczNywxMCArOTczOSwxMCBAQCBzdmdfbG9hZCAoc3RydWN0IGZyYW1lICpmLCBzdHJ1Y3Qg aW1hZ2UgKmltZykKIAkgIGltYWdlX2Vycm9yICgiSW52YWxpZCBpbWFnZSBkYXRhIGAlcyciLCBk YXRhKTsKIAkgIHJldHVybiAwOwogCX0KLSAgICAgIG9yaWdpbmFsX2ZpbGVuYW1lID0gQlZBUiAo Y3VycmVudF9idWZmZXIsIGZpbGVuYW1lKTsKKyAgICAgIGlmICghU1RSSU5HUCAoYmFzZV91cmkp KQorICAgICAgICBiYXNlX3VyaSA9IEJWQVIgKGN1cnJlbnRfYnVmZmVyLCBmaWxlbmFtZSk7CiAg ICAgICBzdWNjZXNzX3AgPSBzdmdfbG9hZF9pbWFnZSAoZiwgaW1nLCBTU0RBVEEgKGRhdGEpLCBT QllURVMgKGRhdGEpLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChOSUxQIChv cmlnaW5hbF9maWxlbmFtZSkgPyBOVUxMCi0JCQkJICAgOiBTU0RBVEEgKG9yaWdpbmFsX2ZpbGVu YW1lKSkpOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChOSUxQIChiYXNlX3Vy aSkgPyBOVUxMIDogU1NEQVRBIChiYXNlX3VyaSkpKTsKICAgICB9CiAKICAgcmV0dXJuIHN1Y2Nl c3NfcDsKQEAgLTk4MzgsNiArOTg0MCw3IEBAIHN2Z19sb2FkX2ltYWdlIChzdHJ1Y3QgZnJhbWUg KmYsIHN0cnVjdCBpbWFnZSAqaW1nLCBjaGFyICpjb250ZW50cywKICAgZWFzc3VtZSAocnN2Z19o YW5kbGUpOwogCiAgIC8qIFNldCBiYXNlX3VyaSBmb3IgcHJvcGVybHkgaGFuZGxpbmcgcmVmZXJl bmNlZCBpbWFnZXMgKHZpYSAnaHJlZicpLgorICAgICBDYW4gYmUgZXhwbGljaXRseSBzcGVjaWZp ZWQgdXNpbmcgYDpiYXNlX3VyaScgaW1hZ2UgcHJvcGVydHkuCiAgICAgIFNlZSByc3ZnIGJ1ZyA1 OTYxMTQgLSAiaW1hZ2UgcmVmcyBhcmUgcmVsYXRpdmUgdG8gY3VyZGlyLCBub3QgLnN2ZyBmaWxl IgogICAgICA8aHR0cHM6Ly9naXRsYWIuZ25vbWUub3JnL0dOT01FL2xpYnJzdmcvaXNzdWVzLzMz Pi4gKi8KICAgaWYgKGZpbGVuYW1lKQpAQCAtMTAwMDIsNiArMTAwMDUsNyBAQCBzdmdfbG9hZF9p bWFnZSAoc3RydWN0IGZyYW1lICpmLCBzdHJ1Y3QgaW1hZ2UgKmltZywgY2hhciAqY29udGVudHMs CiAgIGVhc3N1bWUgKHJzdmdfaGFuZGxlKTsKIAogICAvKiBTZXQgYmFzZV91cmkgZm9yIHByb3Bl cmx5IGhhbmRsaW5nIHJlZmVyZW5jZWQgaW1hZ2VzICh2aWEgJ2hyZWYnKS4KKyAgICAgQ2FuIGJl IGV4cGxpY2l0bHkgc3BlY2lmaWVkIHVzaW5nIGA6YmFzZV91cmknIGltYWdlIHByb3BlcnR5Lgog ICAgICBTZWUgcnN2ZyBidWcgNTk2MTE0IC0gImltYWdlIHJlZnMgYXJlIHJlbGF0aXZlIHRvIGN1 cmRpciwgbm90IC5zdmcgZmlsZSIKICAgICAgPGh0dHBzOi8vZ2l0bGFiLmdub21lLm9yZy9HTk9N RS9saWJyc3ZnL2lzc3Vlcy8zMz4uICovCiAgIGlmIChmaWxlbmFtZSkKQEAgLTEwNjg0LDYgKzEw Njg4LDcgQEAgc3ltc19vZl9pbWFnZSAodm9pZCkKIAogI2lmIGRlZmluZWQgKEhBVkVfUlNWRykK ICAgREVGU1lNIChRc3ZnLCAic3ZnIik7CisgIERFRlNZTSAoUUNiYXNlX3VyaSwgIjpiYXNlLXVy aSIpOwogICBhZGRfaW1hZ2VfdHlwZSAoUXN2Zyk7CiAjaWZkZWYgSEFWRV9OVEdVSQogICAvKiBP dGhlciBsaWJyYXJpZXMgdXNlZCBkaXJlY3RseSBieSBzdmcgY29kZS4gICovCi0tIAoyLjI1LjEK Cg== --000000000000c26eae05b592feb0--