Bug#637580: [lintian] new patch set
Package: lintian
Version: 2.5.14
control: block 637580 by 718427
control: tag 637580 + patch
detect also piwik
From e76aa193da8f1f4ad9e1541ca500bc442bcd9fc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Tue, 6 Aug 2013 11:03:01 +0200
Subject: [PATCH 1/3] Test google adsense privacy breach
Google adsense breach the privacy of our user. Detect such problem on installed file
---
checks/files.desc | 8 ++++++
checks/files.pm | 28 ++++++++++++++++++++
t/tests/files-privacybreach/debian/debian/install | 1 +
t/tests/files-privacybreach/debian/src/adsense.js | 12 +++++++++
.../debian/src/adsenseonlyadds.js | 1 +
.../debian/src/adsenseonlyvar.js | 12 +++++++++
t/tests/files-privacybreach/desc | 5 ++++
t/tests/files-privacybreach/tags | 3 +++
8 files changed, 70 insertions(+)
create mode 100644 t/tests/files-privacybreach/debian/debian/install
create mode 100644 t/tests/files-privacybreach/debian/src/adsense.js
create mode 100644 t/tests/files-privacybreach/debian/src/adsenseonlyadds.js
create mode 100644 t/tests/files-privacybreach/debian/src/adsenseonlyvar.js
create mode 100644 t/tests/files-privacybreach/desc
create mode 100644 t/tests/files-privacybreach/tags
diff --git a/checks/files.desc b/checks/files.desc
index 55f94fd..df1cf26 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -914,6 +914,14 @@ Info: This package contains an embedded copy of JavaScript libraries
package and symlink the library into the appropriate location.
Ref: policy 4.13
+Tag: privacy-breach-google-adsense
+Severity: important
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ google adsense and feed some private data to google.
+ Please remove this script.
+Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense
+
Tag: embedded-feedparser-library
Severity: normal
Certainty: certain
diff --git a/checks/files.pm b/checks/files.pm
index a080e56..82deb45 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -22,6 +22,8 @@ package Lintian::files;
use strict;
use warnings;
use autodie;
+use v5.10;
+use feature qw(switch);
use File::Basename;
@@ -1005,6 +1007,32 @@ foreach my $file ($info->sorted_index) {
}
}
+ # ---------------- html file or fragment
+ if ($file =~ m,\.(?:x?html?|js|xht|xml)$,i) {
+ open(my $fd, '<', $info->unpacked($file));
+ my %privacybreachhash = ();
+ while (<$fd>) {
+ if (m,google_ad_client\s*=,) {
+ unless (exists $privacybreachhash{'google-adsense'}) {
+ tag 'privacy-breach-google-adsense', $file;
+ $privacybreachhash{'google-adsense'} = 1;
+ }
+ }
+ if (m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,){
+ my $website=$+{website};
+ given ($website) {
+ when (m,googlesyndication.com/pagead/show_ads.js,) {
+ unless (exists $privacybreachhash{'google-adsense'}) {
+ tag 'privacy-breach-google-adsense', $file;
+ $privacybreachhash{'google-adsense'} = 1;
+ }
+ }
+ }
+ }
+ }
+ close($fd);
+ }
+
# ---------------- fonts
if ($file =~ m,/([\w-]+\.(?:[to]tf|pfb))$,i) {
my $font = lc $1;
diff --git a/t/tests/files-privacybreach/debian/debian/install b/t/tests/files-privacybreach/debian/debian/install
new file mode 100644
index 0000000..12abe36
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/debian/install
@@ -0,0 +1 @@
+src/*.js /usr/share/javascript/
diff --git a/t/tests/files-privacybreach/debian/src/adsense.js b/t/tests/files-privacybreach/debian/src/adsense.js
new file mode 100644
index 0000000..da53cc1
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/adsense.js
@@ -0,0 +1,12 @@
+<script type="text/javascript">
+google_ad_client = "pub-123456789";
+google_ad_width = 728;
+google_ad_height = 90;
+google_ad_format = "728x90_as";
+google_ad_type = "text_image";
+google_color_border = "FFFFFF";
+google_color_bg = "0000FF";
+google_color_link = "FFFFFF";
+google_color_text = "000000";
+google_color_url = "008000";
+</script><script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js";></script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js b/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js
new file mode 100644
index 0000000..907e5fb
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js
@@ -0,0 +1 @@
+<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js";></script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js b/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js
new file mode 100644
index 0000000..eb7bdb6
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js
@@ -0,0 +1,12 @@
+<script type="text/javascript">
+google_ad_client = "pub-123456789";
+google_ad_width = 728;
+google_ad_height = 90;
+google_ad_format = "728x90_as";
+google_ad_type = "text_image";
+google_color_border = "FFFFFF";
+google_color_bg = "0000FF";
+google_color_link = "FFFFFF";
+google_color_text = "000000";
+google_color_url = "008000";
+</script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
new file mode 100644
index 0000000..2f1b42f
--- /dev/null
+++ b/t/tests/files-privacybreach/desc
@@ -0,0 +1,5 @@
+Testname: files-privacybreach
+Sequence: 6000
+Version: 1.0
+Description: Check for different html privacy breach
+Test-For: privacy-breach-google-adsense
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
new file mode 100644
index 0000000..7941e66
--- /dev/null
+++ b/t/tests/files-privacybreach/tags
@@ -0,0 +1,3 @@
+E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js
+E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js
+E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
--
1.7.10.4
From 801a424f75a111628d7507be1f53f8ab8552cbaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Tue, 6 Aug 2013 11:32:36 +0200
Subject: [PATCH 2/3] Detect generic privacy breach
When a script fetch an external website they are a potential privacy breach.
Add an experimental tag for it.
---
checks/files.desc | 7 +++++++
checks/files.pm | 6 ++++++
t/tests/files-privacybreach/debian/src/genericwebsite.js | 1 +
t/tests/files-privacybreach/desc | 4 +++-
t/tests/files-privacybreach/tags | 1 +
5 files changed, 18 insertions(+), 1 deletion(-)
create mode 100644 t/tests/files-privacybreach/debian/src/genericwebsite.js
diff --git a/checks/files.desc b/checks/files.desc
index df1cf26..fae942d 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -922,6 +922,13 @@ Info: This package create a privacy breach by fetching some data from
Please remove this script.
Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense
+Tag: privacy-breach-generic
+Severity: important
+Certainty: wild-guess
+Experimental: yes
+Info: This package create a privacy breach by fetching some data from
+ an external website. Please remove this script.
+
Tag: embedded-feedparser-library
Severity: normal
Certainty: certain
diff --git a/checks/files.pm b/checks/files.pm
index 82deb45..db3abbc 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1027,6 +1027,12 @@ foreach my $file ($info->sorted_index) {
$privacybreachhash{'google-adsense'} = 1;
}
}
+ default {
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
}
}
}
diff --git a/t/tests/files-privacybreach/debian/src/genericwebsite.js b/t/tests/files-privacybreach/debian/src/genericwebsite.js
new file mode 100644
index 0000000..37aaa96
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/genericwebsite.js
@@ -0,0 +1 @@
+<script type="text/javascript" src="http://www.example.com/trackme.js";></script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
index 2f1b42f..d6cc677 100644
--- a/t/tests/files-privacybreach/desc
+++ b/t/tests/files-privacybreach/desc
@@ -2,4 +2,6 @@ Testname: files-privacybreach
Sequence: 6000
Version: 1.0
Description: Check for different html privacy breach
-Test-For: privacy-breach-google-adsense
+Test-For:
+ privacy-breach-generic
+ privacy-breach-google-adsense
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index 7941e66..b84771b 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -1,3 +1,4 @@
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
+X: files-privacybreach: privacy-breach-generic usr/share/javascript/genericwebsite.js www.example.com/trackme.js
--
1.7.10.4
From 5759b586443d53ce0fc4e79897509f71b92d6728 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Tue, 6 Aug 2013 15:03:57 +0200
Subject: [PATCH 3/3] Add piwik privacy breach detection
Warn when we detect a piwik tracker.
---
checks/files.desc | 11 ++++-
checks/files.pm | 49 +++++++++++++-------
t/tests/files-privacybreach/debian/src/piwik.js | 12 +++++
.../files-privacybreach/debian/src/piwikvariant.js | 11 +++++
t/tests/files-privacybreach/desc | 1 +
t/tests/files-privacybreach/tags | 2 +
6 files changed, 66 insertions(+), 20 deletions(-)
create mode 100644 t/tests/files-privacybreach/debian/src/piwik.js
create mode 100644 t/tests/files-privacybreach/debian/src/piwikvariant.js
diff --git a/checks/files.desc b/checks/files.desc
index fae942d..53cb49c 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -922,6 +922,13 @@ Info: This package create a privacy breach by fetching some data from
Please remove this script.
Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense
+Tag: privacy-breach-piwik
+Severity: important
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ a piwik based web site and feed some private data to it.
+ Please remove this script.
+
Tag: privacy-breach-generic
Severity: important
Certainty: wild-guess
@@ -974,7 +981,7 @@ Info: This package contains a *.ttf, *.otf, or *.pfb file, file
the font should be packaged separately, since fonts are usually useful
outside of the package that embeds them.
-Tag: license-problem-font-adobe-copyrighted-fragment
+Tag: font-adobe-copyrighted-fragment
Severity: serious
Certainty: possible
Info: This type 1 font file includes some postscript fragment with a
@@ -984,7 +991,7 @@ Info: This type 1 font file includes some postscript fragment with a
Should this be a false-positive, please override the tag.
Ref: http://wiki.debian.org/qa.debian.org/type1nondfsg
-Tag: license-problem-font-adobe-copyrighted-fragment-no-credit
+Tag: font-adobe-copyrighted-fragment-no-credit
Severity: serious
Certainty: possible
Info: This type 1 font file includes some postscript fragment with a
diff --git a/checks/files.pm b/checks/files.pm
index db3abbc..349dbd2 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1011,26 +1011,39 @@ foreach my $file ($info->sorted_index) {
if ($file =~ m,\.(?:x?html?|js|xht|xml)$,i) {
open(my $fd, '<', $info->unpacked($file));
my %privacybreachhash = ();
- while (<$fd>) {
- if (m,google_ad_client\s*=,) {
- unless (exists $privacybreachhash{'google-adsense'}) {
- tag 'privacy-breach-google-adsense', $file;
- $privacybreachhash{'google-adsense'} = 1;
+ while (my $line = <$fd>) {
+ given ($line) {
+ # google adsense
+ when (m,google_ad_client\s*=,) {
+ unless (exists $privacybreachhash{'google-adsense'}) {
+ tag 'privacy-breach-google-adsense', $file;
+ $privacybreachhash{'google-adsense'} = 1;
+ }
+ continue;
}
- }
- if (m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,){
- my $website=$+{website};
- given ($website) {
- when (m,googlesyndication.com/pagead/show_ads.js,) {
- unless (exists $privacybreachhash{'google-adsense'}) {
- tag 'privacy-breach-google-adsense', $file;
- $privacybreachhash{'google-adsense'} = 1;
- }
+ # piwik
+ when(m,piwik_url\s*=, or m,pkBaseURL\s*=, or m,piwik\.js, or m,End\s+Piwik\s+(?:Tag|Code),) {
+ unless (exists $privacybreachhash{'piwik'}) {
+ tag 'privacy-breach-piwik', $file;
+ $privacybreachhash{'piwik'} = 1;
}
- default {
- unless (exists $privacybreachhash{'generic-'.$website}) {
- tag 'privacy-breach-generic', $file, $website;
- $privacybreachhash{'generic-'.$website} = 1;
+ continue;
+ }
+ # script tag
+ when (m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,){
+ my $website=$+{website};
+ given ($website) {
+ when (m,googlesyndication.com/pagead/show_ads.js,) {
+ unless (exists $privacybreachhash{'google-adsense'}) {
+ tag 'privacy-breach-google-adsense', $file;
+ $privacybreachhash{'google-adsense'} = 1;
+ }
+ }
+ default {
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
}
}
}
diff --git a/t/tests/files-privacybreach/debian/src/piwik.js b/t/tests/files-privacybreach/debian/src/piwik.js
new file mode 100644
index 0000000..8a2ce39
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/piwik.js
@@ -0,0 +1,12 @@
+<!-- Piwik -->
+<script type="text/javascript">
+var pkBaseURL = (("https:" == document.location.protocol) ? "https://apps.sourceforge.net/piwik/matplotlib/"; : "http://apps.sourceforge.net/piwik/matplotlib/";);
+document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
+</script><script type="text/javascript">
+piwik_action_name = '';
+piwik_idsite = 1;
+piwik_url = pkBaseURL + "piwik.php";
+piwik_log(piwik_action_name, piwik_idsite, piwik_url);
+</script>
+<object><noscript><p><img src="http://apps.sourceforge.net/piwik/matplotlib/piwik.php?idsite=1"; alt="piwik"/></p></noscript></object>
+<!-- End Piwik Tag -->
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/piwikvariant.js b/t/tests/files-privacybreach/debian/src/piwikvariant.js
new file mode 100644
index 0000000..6a8e5cb
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/piwikvariant.js
@@ -0,0 +1,11 @@
+<!-- Piwik --> <script type="text/javascript">
+var _paq = _paq || [];
+(function(){ var u=(("https:" == document.location.protocol) ? "https://{$PIWIK_URL}/"; : "http://{$PIWIK_URL}/";);
+_paq.push(['setSiteId', {$IDSITE}]);
+_paq.push(['setTrackerUrl', u+'piwik.php']);
+_paq.push(['trackPageView']);
+_paq.push(['enableLinkTracking']);
+var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript'; g.defer=true; g.async=true; g.src=u+'piwik.js';
+s.parentNode.insertBefore(g,s); })();
+ </script>
+<!-- End Piwik Code -->
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
index d6cc677..2f00722 100644
--- a/t/tests/files-privacybreach/desc
+++ b/t/tests/files-privacybreach/desc
@@ -5,3 +5,4 @@ Description: Check for different html privacy breach
Test-For:
privacy-breach-generic
privacy-breach-google-adsense
+ privacy-breach-piwik
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index b84771b..b84d04b 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -1,4 +1,6 @@
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
+E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwik.js
+E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwikvariant.js
X: files-privacybreach: privacy-breach-generic usr/share/javascript/genericwebsite.js www.example.com/trackme.js
--
1.7.10.4
Reply to: