After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 646618 - Remote images not supported
Remote images not supported
Status: RESOLVED NOTABUG
Product: librsvg
Classification: Core
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: librsvg maintainers
librsvg maintainers
Depends on:
Blocks:
 
 
Reported: 2011-04-03 14:14 UTC by Mark Shoulson
Modified: 2017-06-20 15:33 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Simple .svg using <image> element (393 bytes, image/svg+xml)
2011-04-03 14:14 UTC, Mark Shoulson
Details

Description Mark Shoulson 2011-04-03 14:14:27 UTC
Created attachment 185024 [details]
Simple .svg using <image> element

Apparently this *used* to work in older versions of librsvg, but stopped working with the changeover to gio from gnome-vfs.  According to http://www.w3.org/TR/SVG/linking.html , "the ‘image’ element must reference any local or non-local resource", so the xlink:href attribute of an <image> element can be a general IRI, not necessarily local.  So the attached SVG file should show the referenced image.  Using rsvg, it does not, since the switch from gnome-vfs.  The call is made in rsvg-image.c to g_filename_from_uri(), but apparently does not honor non-local URIs.
Comment 1 Federico Mena Quintero 2017-06-20 15:33:55 UTC
If you create an RsvgHandle out of a local file, we disallow loading references to http resources:  we only let you load resources that have the same URI scheme (file://, http://, etc.) as the base file.  Otherwise a malicious SVG file could be used to track you.

Also, for references to local files, we only allow loading references to files that are in the same directory as the base file, or in a subdirectory.  This prevents information leakage attacks if someone sticks "/etc/passwd" as a referenced resource.

This also means that you need to set the base file if you want external references to work at all.  You can use rsvg_handle_get_base_uri(), or pass the base_file argument to the rsvg_handle_new_from_stream_*() functions.