-
Jeremy Stashewsky authored
This patch fixes a security vulnerability when using the batch or command-line processing features of Inkscape. The flaw allows an author of a malicious SVG file to trivially specify the href of a local or remote file to bring in as a `<text>` body or other element. The exact impact to security will depend a lot on the context in which inkscape is being run, but in the worst-case scenario this can lead to leaking of private information, credentials, etc. Formally, this is a Local File Inclusion (LFI) and Server Side Request Forgery (SSRF) vulnerability vector. XInclude processing is retained for shortcut "keys" files _only_, which seems to have been the original intent behind the commit that introduced the vulnerability: inkscape/inkscape@e6eee384