Page MenuHomePhabricator

Files created in Adobe Illustrator and edited in Inkscape rejected with 'uploadscriptednamespace'
Closed, ResolvedPublic

Description

Some SVG files created in Adobe Illustrator and edited in Inkscape are rejected when you try to upload them with 'uploadscriptednamespace' error ("This SVG file contains an illegal namespace"). This is caused by Illustrator using an absolutely ridiculous syntax for XML namespace definitions and Inkscape being unable to parse them.

Two reports of this issue I'm aware of:


Here's another file I found on Commons that exhibits this issue: https://commons.wikimedia.org/wiki/File:Andhra_Pradesh_in_India_(claimed_and_disputed_hatched).svg

To reproduce:

  1. Download that file.
  2. Open and save in Inkscape – result:
  3. Try uploading it back.

The original Illustrator file starts with:

<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 13.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 14948)  -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [
	<!ENTITY ns_extend "http://ns.adobe.com/Extensibility/1.0/">
	<!ENTITY ns_ai "http://ns.adobe.com/AdobeIllustrator/10.0/">
	<!ENTITY ns_graphs "http://ns.adobe.com/Graphs/1.0/">
	<!ENTITY ns_vars "http://ns.adobe.com/Variables/1.0/">
	<!ENTITY ns_imrep "http://ns.adobe.com/ImageReplacement/1.0/">
	<!ENTITY ns_sfw "http://ns.adobe.com/SaveForWeb/1.0/">
	<!ENTITY ns_custom "http://ns.adobe.com/GenericCustomNamespace/1.0/">
	<!ENTITY ns_adobe_xpath "http://ns.adobe.com/XPath/1.0/">
]>
<svg version="1.1"
	 id="svg2" xmlns:x="&ns_extend;" xmlns:i="&ns_ai;" xmlns:graph="&ns_graphs;" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:svg="http://www.w3.org/2000/svg" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns:cc="http://creativecommons.org/ns#" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" inkscape:output_extension="org.inkscape.output.svg.inkscape" sodipodi:version="0.32" sodipodi:docname="India_location_map.svg" inkscape:version="0.46"
	 xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1500px"
	 height="1614.844px" viewBox="0 0 1500 1614.844" enable-background="new 0 0 1500 1614.844" xml:space="preserve">

Upon editing it with Inkscape, I get:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Generator: Adobe Illustrator 13.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 14948)  -->

<svg
   xmlns:i="&amp;ns_ai;"
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:xlink="http://www.w3.org/1999/xlink"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   version="1.1"
   id="svg2"
   inkscape:output_extension="org.inkscape.output.svg.inkscape"
   sodipodi:version="0.32"
   sodipodi:docname="Andhra_Pradesh_in_India_(claimed_and_disputed_hatched).svg"
   inkscape:version="0.48.4 r9939"
   x="0px"
   y="0px"
   width="1500px"
   height="1614.844px"
   viewBox="0 0 1500 1614.844"
   enable-background="new 0 0 1500 1614.844"
   xml:space="preserve">

The xmlns:i namespace definition has been mangled. (Other namespace definitions were removed, since they're not actually used in the file.)

Opening and saving the file again causes xmlns:i="&amp;ns_ai;" to turn into xmlns:i="&amp;#38;ns_ai;", then xmlns:i="&amp;#38;#38;ns_ai;" and so on.


So… I guess what I'm asking is, can we relax the checks in UploadBase::checkSvgScriptCallback() to allow these broken namespace names? Mostly everything ignores them and renders the file file, and I don't think they can be a security vulnerability in any way.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Oh, also. The workaround is:

  1. Open the file with a text editor, remove all broken namespace definitions (basically, everything with &amp; in it) near the top of the file.
  2. Open the edited file in Inkscape again, click File → Save As…, from the "Save as type:" dropdown select "Plain SVG", and save the file.

Yeah, that sounds fine to me. (As in letting &amp;ns_foo; through sounds fine. I'd still want to block &ns_foo; in the case of a missing entity deceleration though, just because that sounds sketchy)

matmarex triaged this task as Medium priority.

Change 314349 had a related patch set uploaded (by Bartosz Dziewoński):
UploadBase: Permit SVG files with broken namespace definition (Inkscape bug)

https://gerrit.wikimedia.org/r/314349

Change 314349 merged by jenkins-bot:
UploadBase: Permit SVG files with broken namespace definition (Inkscape bug)

https://gerrit.wikimedia.org/r/314349

This will be deployed to production next week.