[Webkit-unassigned] [Bug 31106] Sanitize web fonts using the OTS library
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 9 16:04:16 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=31106
--- Comment #37 from Adam Langley <agl at chromium.org> 2009-11-09 16:04:13 PDT ---
> What makes one parser (the sanitizer) less prone to security bugs then the actual font parser?
The reasons behind using a sanitiser:
* Should bugs in popular parsers be found or known, we can render them
irrelevant with the sanitiser. Since we don't control the system font parser,
the time to patch may be unbounded and it's almost certainly a lot longer than
the patch time of Chrome. For Safari on OS X this isn't an issue, since Apple
controls both. But for any WebKit browser on Windows, this is a concern.
* The system font parser may not be open source. In this case, security folks
can review the sanitiser, but not the system font parser. The sanitiser is also
a lot smaller than a full parser/renderer, thus it's easier to review and to
see where attacker-controlled values are going.
So, you're correct that adding the sanitiser introduces the possibility of
exploiting a bug in the sanitiser itself. However, given the two points above,
I believe it's a worthwhile tradeoff.
> If it is in fact a good idea to have this sanitizer, then I believe a copy
> should live in the webkit tree (just as image decoders live in the tree).
At this point, I believe that's premature. But, if people feel strongly, I will
concede as I don't feel that strongly.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list