Security issue: 'sodipodi:absref' absolute image link inside SVG leaks private informations.
Steps to reproduce:
When saving an SVG containing an image with a relative path, Inkscape stores also an absolute link with the
sodipodi:absref path. But this path stores private informations.
- https://framagit.org/peppercarrot/webcomics/blob/master/ep06_The-Potion-Contest/lang/en/E06P02.svg#L75 → (local file tree, username)
- https://framagit.org/peppercarrot/webcomics/blob/master/ep06_The-Potion-Contest/lang/es/E06P04.svg#L500 → (username)
- https://framagit.org/peppercarrot/webcomics/blob/master/ep27_Coriander-s-Invention/lang/cn/E27P02.svg#L60 → (Windows user)
- https://framagit.org/peppercarrot/webcomics/blob/master/ep03_The-secret-ingredients/lang/ja/E03P06.svg#L59 → (Name)
What is the problem?
This storage is problematic on many levels: first, while working in a collaborative project because one can spy on the real username of other authors (anonymous contribution ruined), their storage file tree including directorie's names and it is not hard to guess the target's operating system this way. So Inkscape is leaking information I'm considering very private.
Example of privacy issue:
- If one store my project into a directory named "Shitty-project-I-cannot-leave", I don't think they want me to see it.
- If someone push from the computer of wife/kids and leaks the name of family members or relatives.
- If someone stores the project on E:/ C:/ D:/ and don't want to be seen as a Windows user.
- If a username has a gender while the nickname on the project hide this information.
Now stronger: imagine if this info are used by a crook doing email fishing? You can use the email of the Git commiter (browsing auto all repositories on Github/Gitlab for this infos) and threat someone you have access on their machine by giving a path proof (pasting a sample of the target file tree/username/etc). I imagine it could be very effective. (That's why I'll need to inform via mailing list the contributors of Pepper&Carrot about this after reporting this).
All in all, this privacy leak actually forces one of my contributor to delete this line everytime before contributing to a translation on Pepper&Carrot (source) and I understand now better the issue.
What should have happened?
Adding this link inside the SVG should be optional and an action the user define (activated by a checkbox in the preferences?) Sorry if it already exists by the way; I tried to look in the pref but couldn't find it. Anyway, it shouldn't be on by default in my opinion because no SVG should contains informations that compromise privacy of their respective authors by default.
I also saw one user on the old bug tracker talking about it back in 2011 here at comment 23. I guess 8 years after privacy is a more sensible topic, thank you for any effort to fix this issue and sorry if my words here feels a bit strong here, my example a bit too dramatic and all in all too much into alert mode
Inkscape Version and Operating System:
- Inkscape Version: All
- Operating system: All
PS: Special thanks to new translator Gunchleoc who found that and made me realising this was problematic.