Sharp: SVGs do not support file:// scheme on mac

Hello, did you see the librsvg docs?

"When processing an SVG, librsvg will only load referenced files if they are in the same directory as the base file, or in a subdirectory of it... This is so that malicious SVG files cannot include files that are in a directory above."

https://developer.gnome.org/rsvg/2.45/rsvg-RsvgHandle.html#id-1.2.4.5.4

The test-no-scheme-relative.svg file takes the correct approach.

The librsvg internals use g_file_get_uri to calculate the current directory of the SVG file. That logic will differ slightly between platforms, so perhaps it's producing file://... on Linux hence those test cases working on that platform.

Hi there - I did, I actually read through all the relevant source in librsvg and libvips. The only reason I have a tests without a scheme and with relative paths is because that’s how they’re done in the test suite on librsvg; likewise the reason I use the file:// scheme is because I noticed it was explicitly checked (albeit on a normalized version of the path).

I think your insight around g_file_get_uri is a great lead. I was going to compile debug versions of librsvg and libvips, but didn’t have the tool chain set up on this new laptop, so I tried in docker... and everything suddenly worked as expected. We run Linux in production anyhow so I just pushed my changes, reported the issue here and went to bed :)

If I get a chance today, I’ll see if I can get a debug build for Mac running so I can print out the fully normalized paths being compared.

@mike-marcacci Were you able to make any progress with this?

Hi @lovell, sadly I ran out of time (and will probably be fully preoccupied for the next several weeks). With this only broken on Mac, it’s taken a backseat to some other projects.

I do still hope to get around to diving back into this, though, since our development is done primarily on Mac.

Please feel free to re-open this issue with more details if/when they become available.