Bug#718427: [lintian] New patch set
Package: lintian
Version: 2.5.14
New patch set commands
From 56baf72e6455caa0b0d7739e5690b9a8e6fc4e7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Tue, 6 Aug 2013 11:03:01 +0200
Subject: [PATCH 1/9] Test google adsense privacy breach
Google adsense breach the privacy of our user. Detect such problem on installed file
---
checks/files.desc | 8 ++++++
checks/files.pm | 28 ++++++++++++++++++++
t/tests/files-privacybreach/debian/debian/install | 1 +
t/tests/files-privacybreach/debian/src/adsense.js | 12 +++++++++
.../debian/src/adsenseonlyadds.js | 1 +
.../debian/src/adsenseonlyvar.js | 12 +++++++++
t/tests/files-privacybreach/desc | 5 ++++
t/tests/files-privacybreach/tags | 3 +++
8 files changed, 70 insertions(+)
create mode 100644 t/tests/files-privacybreach/debian/debian/install
create mode 100644 t/tests/files-privacybreach/debian/src/adsense.js
create mode 100644 t/tests/files-privacybreach/debian/src/adsenseonlyadds.js
create mode 100644 t/tests/files-privacybreach/debian/src/adsenseonlyvar.js
create mode 100644 t/tests/files-privacybreach/desc
create mode 100644 t/tests/files-privacybreach/tags
diff --git a/checks/files.desc b/checks/files.desc
index 55f94fd..df1cf26 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -914,6 +914,14 @@ Info: This package contains an embedded copy of JavaScript libraries
package and symlink the library into the appropriate location.
Ref: policy 4.13
+Tag: privacy-breach-google-adsense
+Severity: important
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ google adsense and feed some private data to google.
+ Please remove this script.
+Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense
+
Tag: embedded-feedparser-library
Severity: normal
Certainty: certain
diff --git a/checks/files.pm b/checks/files.pm
index a080e56..bfc2986 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -22,6 +22,8 @@ package Lintian::files;
use strict;
use warnings;
use autodie;
+use v5.10;
+use feature qw(switch);
use File::Basename;
@@ -1005,6 +1007,32 @@ foreach my $file ($info->sorted_index) {
}
}
+ # ---------------- html file or fragment
+ if ($file =~ m,\.(?:x?html?|js|xht|xml)$,i) {
+ open(my $fd, '<', $info->unpacked($file));
+ my %privacybreachhash = ();
+ while (<$fd>) {
+ if (m,google_ad_client\s*=,) {
+ unless (exists $privacybreachhash{'google-adsense'}) {
+ tag 'privacy-breach-google-adsense', $file;
+ $privacybreachhash{'google-adsense'} = 1;
+ }
+ }
+ if (m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,) {
+ my $website=$+{website};
+ given ($website) {
+ when (m,googlesyndication\.com/pagead/show_ads\.js,) {
+ unless (exists $privacybreachhash{'google-adsense'}) {
+ tag 'privacy-breach-google-adsense', $file;
+ $privacybreachhash{'google-adsense'} = 1;
+ }
+ }
+ }
+ }
+ }
+ close($fd);
+ }
+
# ---------------- fonts
if ($file =~ m,/([\w-]+\.(?:[to]tf|pfb))$,i) {
my $font = lc $1;
diff --git a/t/tests/files-privacybreach/debian/debian/install b/t/tests/files-privacybreach/debian/debian/install
new file mode 100644
index 0000000..12abe36
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/debian/install
@@ -0,0 +1 @@
+src/*.js /usr/share/javascript/
diff --git a/t/tests/files-privacybreach/debian/src/adsense.js b/t/tests/files-privacybreach/debian/src/adsense.js
new file mode 100644
index 0000000..da53cc1
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/adsense.js
@@ -0,0 +1,12 @@
+<script type="text/javascript">
+google_ad_client = "pub-123456789";
+google_ad_width = 728;
+google_ad_height = 90;
+google_ad_format = "728x90_as";
+google_ad_type = "text_image";
+google_color_border = "FFFFFF";
+google_color_bg = "0000FF";
+google_color_link = "FFFFFF";
+google_color_text = "000000";
+google_color_url = "008000";
+</script><script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js b/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js
new file mode 100644
index 0000000..907e5fb
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js
@@ -0,0 +1 @@
+<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js b/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js
new file mode 100644
index 0000000..eb7bdb6
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js
@@ -0,0 +1,12 @@
+<script type="text/javascript">
+google_ad_client = "pub-123456789";
+google_ad_width = 728;
+google_ad_height = 90;
+google_ad_format = "728x90_as";
+google_ad_type = "text_image";
+google_color_border = "FFFFFF";
+google_color_bg = "0000FF";
+google_color_link = "FFFFFF";
+google_color_text = "000000";
+google_color_url = "008000";
+</script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
new file mode 100644
index 0000000..2f1b42f
--- /dev/null
+++ b/t/tests/files-privacybreach/desc
@@ -0,0 +1,5 @@
+Testname: files-privacybreach
+Sequence: 6000
+Version: 1.0
+Description: Check for different html privacy breach
+Test-For: privacy-breach-google-adsense
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
new file mode 100644
index 0000000..7941e66
--- /dev/null
+++ b/t/tests/files-privacybreach/tags
@@ -0,0 +1,3 @@
+E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js
+E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js
+E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
--
1.7.10.4
From 901d5fae3565f820473bd098d9a5db356b915d53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Tue, 6 Aug 2013 11:32:36 +0200
Subject: [PATCH 2/9] Detect generic privacy breach
When a script fetch an external website they are a potential privacy breach.
Add an experimental tag for it.
---
checks/files.desc | 7 +++++++
checks/files.pm | 6 ++++++
t/tests/files-privacybreach/debian/src/genericwebsite.js | 1 +
t/tests/files-privacybreach/desc | 4 +++-
t/tests/files-privacybreach/tags | 1 +
5 files changed, 18 insertions(+), 1 deletion(-)
create mode 100644 t/tests/files-privacybreach/debian/src/genericwebsite.js
diff --git a/checks/files.desc b/checks/files.desc
index df1cf26..fae942d 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -922,6 +922,13 @@ Info: This package create a privacy breach by fetching some data from
Please remove this script.
Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense
+Tag: privacy-breach-generic
+Severity: important
+Certainty: wild-guess
+Experimental: yes
+Info: This package create a privacy breach by fetching some data from
+ an external website. Please remove this script.
+
Tag: embedded-feedparser-library
Severity: normal
Certainty: certain
diff --git a/checks/files.pm b/checks/files.pm
index bfc2986..491e699 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1027,6 +1027,12 @@ foreach my $file ($info->sorted_index) {
$privacybreachhash{'google-adsense'} = 1;
}
}
+ default {
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
}
}
}
diff --git a/t/tests/files-privacybreach/debian/src/genericwebsite.js b/t/tests/files-privacybreach/debian/src/genericwebsite.js
new file mode 100644
index 0000000..37aaa96
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/genericwebsite.js
@@ -0,0 +1 @@
+<script type="text/javascript" src="http://www.example.com/trackme.js"></script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
index 2f1b42f..d6cc677 100644
--- a/t/tests/files-privacybreach/desc
+++ b/t/tests/files-privacybreach/desc
@@ -2,4 +2,6 @@ Testname: files-privacybreach
Sequence: 6000
Version: 1.0
Description: Check for different html privacy breach
-Test-For: privacy-breach-google-adsense
+Test-For:
+ privacy-breach-generic
+ privacy-breach-google-adsense
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index 7941e66..b84771b 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -1,3 +1,4 @@
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
+X: files-privacybreach: privacy-breach-generic usr/share/javascript/genericwebsite.js www.example.com/trackme.js
--
1.7.10.4
From 8d7cb79052eb894af14f5234c23438491998cabe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Wed, 7 Aug 2013 10:52:48 +0200
Subject: [PATCH 3/9] Detect piwik privacy breach
Detect piwik privacy breach
---
checks/files.desc | 7 +++++++
checks/files.pm | 22 +++++++++++++++++---
t/tests/files-privacybreach/debian/src/piwik.js | 12 +++++++++++
.../files-privacybreach/debian/src/piwikvariant.js | 11 ++++++++++
t/tests/files-privacybreach/desc | 1 +
t/tests/files-privacybreach/tags | 2 ++
6 files changed, 52 insertions(+), 3 deletions(-)
create mode 100644 t/tests/files-privacybreach/debian/src/piwik.js
create mode 100644 t/tests/files-privacybreach/debian/src/piwikvariant.js
diff --git a/checks/files.desc b/checks/files.desc
index fae942d..f710ada 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -922,6 +922,13 @@ Info: This package create a privacy breach by fetching some data from
Please remove this script.
Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense
+Tag: privacy-breach-piwik
+Severity: important
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ a piwik based web site and feed some private data to it.
+ Please remove this script.
+
Tag: privacy-breach-generic
Severity: important
Certainty: wild-guess
diff --git a/checks/files.pm b/checks/files.pm
index 491e699..584e1f0 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1011,14 +1011,24 @@ foreach my $file ($info->sorted_index) {
if ($file =~ m,\.(?:x?html?|js|xht|xml)$,i) {
open(my $fd, '<', $info->unpacked($file));
my %privacybreachhash = ();
- while (<$fd>) {
- if (m,google_ad_client\s*=,) {
+ while (my $line = <$fd>) {
+ if($line =~ m,google_ad_client\s*=,) {
unless (exists $privacybreachhash{'google-adsense'}) {
tag 'privacy-breach-google-adsense', $file;
$privacybreachhash{'google-adsense'} = 1;
}
}
- if (m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,) {
+ # piwik
+ if($line =~ m,piwik_url\s*=, or
+ $line =~ m,pkBaseURL\s*=, or
+ $line =~ m,piwik\.js, or
+ $line =~ m,End\s+Piwik\s+(?:Tag|Code),) {
+ unless (exists $privacybreachhash{'piwik'}) {
+ tag 'privacy-breach-piwik', $file;
+ $privacybreachhash{'piwik'} = 1;
+ }
+ }
+ if($line =~ m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,) {
my $website=$+{website};
given ($website) {
when (m,googlesyndication\.com/pagead/show_ads\.js,) {
@@ -1027,6 +1037,12 @@ foreach my $file ($info->sorted_index) {
$privacybreachhash{'google-adsense'} = 1;
}
}
+ when (m,piwik.php\?,) {
+ unless (exists $privacybreachhash{'piwik'}) {
+ tag 'privacy-breach-piwik', $file;
+ $privacybreachhash{'piwik'} = 1;
+ }
+ }
default {
unless (exists $privacybreachhash{'generic-'.$website}) {
tag 'privacy-breach-generic', $file, $website;
diff --git a/t/tests/files-privacybreach/debian/src/piwik.js b/t/tests/files-privacybreach/debian/src/piwik.js
new file mode 100644
index 0000000..8a2ce39
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/piwik.js
@@ -0,0 +1,12 @@
+<!-- Piwik -->
+<script type="text/javascript">
+var pkBaseURL = (("https:" == document.location.protocol) ? "https://apps.sourceforge.net/piwik/matplotlib/" : "http://apps.sourceforge.net/piwik/matplotlib/");
+document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
+</script><script type="text/javascript">
+piwik_action_name = '';
+piwik_idsite = 1;
+piwik_url = pkBaseURL + "piwik.php";
+piwik_log(piwik_action_name, piwik_idsite, piwik_url);
+</script>
+<object><noscript><p><img src="http://apps.sourceforge.net/piwik/matplotlib/piwik.php?idsite=1" alt="piwik"/></p></noscript></object>
+<!-- End Piwik Tag -->
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/piwikvariant.js b/t/tests/files-privacybreach/debian/src/piwikvariant.js
new file mode 100644
index 0000000..6a8e5cb
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/piwikvariant.js
@@ -0,0 +1,11 @@
+<!-- Piwik --> <script type="text/javascript">
+var _paq = _paq || [];
+(function(){ var u=(("https:" == document.location.protocol) ? "https://{$PIWIK_URL}/" : "http://{$PIWIK_URL}/");
+_paq.push(['setSiteId', {$IDSITE}]);
+_paq.push(['setTrackerUrl', u+'piwik.php']);
+_paq.push(['trackPageView']);
+_paq.push(['enableLinkTracking']);
+var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript'; g.defer=true; g.async=true; g.src=u+'piwik.js';
+s.parentNode.insertBefore(g,s); })();
+ </script>
+<!-- End Piwik Code -->
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
index d6cc677..2f00722 100644
--- a/t/tests/files-privacybreach/desc
+++ b/t/tests/files-privacybreach/desc
@@ -5,3 +5,4 @@ Description: Check for different html privacy breach
Test-For:
privacy-breach-generic
privacy-breach-google-adsense
+ privacy-breach-piwik
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index b84771b..b84d04b 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -1,4 +1,6 @@
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
+E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwik.js
+E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwikvariant.js
X: files-privacybreach: privacy-breach-generic usr/share/javascript/genericwebsite.js www.example.com/trackme.js
--
1.7.10.4
From ef8a6e866164bed61478f866de89d735b8e880ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Fri, 9 Aug 2013 19:04:49 +0200
Subject: [PATCH 4/9] Improve detection of external resource
Detection of src attribute for various html tags. Add also object and video poster.
---
checks/files.pm | 57 +++++++++++++++++++-
t/tests/files-privacybreach/debian/debian/install | 2 +
t/tests/files-privacybreach/debian/src/applet.html | 5 ++
t/tests/files-privacybreach/debian/src/div.html | 9 ++++
t/tests/files-privacybreach/debian/src/embed.html | 9 ++++
.../files-privacybreach/debian/src/externalimg.xml | 1 +
t/tests/files-privacybreach/debian/src/frame.html | 11 ++++
t/tests/files-privacybreach/debian/src/iframe.html | 9 ++++
t/tests/files-privacybreach/debian/src/input.html | 9 ++++
t/tests/files-privacybreach/debian/src/object.html | 9 ++++
t/tests/files-privacybreach/debian/src/source.html | 10 ++++
t/tests/files-privacybreach/debian/src/track.html | 11 ++++
t/tests/files-privacybreach/debian/src/video.html | 7 +++
.../debian/src/videoposter.html | 7 +++
t/tests/files-privacybreach/tags | 11 ++++
15 files changed, 165 insertions(+), 2 deletions(-)
create mode 100644 t/tests/files-privacybreach/debian/src/applet.html
create mode 100644 t/tests/files-privacybreach/debian/src/div.html
create mode 100644 t/tests/files-privacybreach/debian/src/embed.html
create mode 100644 t/tests/files-privacybreach/debian/src/externalimg.xml
create mode 100644 t/tests/files-privacybreach/debian/src/frame.html
create mode 100644 t/tests/files-privacybreach/debian/src/iframe.html
create mode 100644 t/tests/files-privacybreach/debian/src/input.html
create mode 100644 t/tests/files-privacybreach/debian/src/object.html
create mode 100644 t/tests/files-privacybreach/debian/src/source.html
create mode 100644 t/tests/files-privacybreach/debian/src/track.html
create mode 100644 t/tests/files-privacybreach/debian/src/video.html
create mode 100644 t/tests/files-privacybreach/debian/src/videoposter.html
diff --git a/checks/files.pm b/checks/files.pm
index 584e1f0..ac3728d 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1028,10 +1028,21 @@ foreach my $file ($info->sorted_index) {
$privacybreachhash{'piwik'} = 1;
}
}
- if($line =~ m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,) {
+ # According to html norm src attribute is used by tags:
+ # audio(v5+), embed (v5+), iframe (v4), frame, img, input, script, source, track(v5), video (v5)
+ # Add other tags with src due to some javascript code:
+ # div due to div.js
+ if($line =~ m,<
+ (?'tagattr'div|embed|i?frame|img|input|script|source|track|video)
+ (?:\s+ [^>]*?)? \s+
+ src \s* = \s*
+ "(?:https?|ftp)://(?'website'[^"]*?)"
+ [^>]*?
+ >,xi) {
my $website=$+{website};
+ my $tagattr=$+{tagattr};
given ($website) {
- when (m,googlesyndication\.com/pagead/show_ads\.js,) {
+ when (m,googlesyndication\.com/pagead/show_ads\.js$, and $tagattr eq 'script') {
unless (exists $privacybreachhash{'google-adsense'}) {
tag 'privacy-breach-google-adsense', $file;
$privacybreachhash{'google-adsense'} = 1;
@@ -1051,6 +1062,48 @@ foreach my $file ($info->sorted_index) {
}
}
}
+ # applet object codebase=
+ if ($line =~ m,<
+ (?:applet|object)
+ (:?\s+ [^>]*?)? \s+
+ codebase \s* = \s*
+ "(?:https?|ftp)://(?'website'[^"]*?)"
+ [^>]*?
+ >,xi) {
+ my $website=$+{website};
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
+ # object data=
+ if ($line =~ m,<
+ object
+ (:?\s+ [^>]*?)? \s+
+ data \s* = \s*"
+ (?:http|ftp)://(?'website'[^"]*?)"
+ [^>]*?
+ >,xi) {
+ my $website=$+{website};
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
+ # video poster aka thumbail (case sensitive due to html5 is xml)
+ if ($line =~ m,<
+ video
+ (:?\s+ [^>]*?)? \s+
+ poster \s* = \s*"
+ (?:https?|ftp)://(?'website'[^"]*?)"
+ [^>]*?
+ >,xi) {
+ my $website=$+{website};
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
}
close($fd);
}
diff --git a/t/tests/files-privacybreach/debian/debian/install b/t/tests/files-privacybreach/debian/debian/install
index 12abe36..1cb29f3 100644
--- a/t/tests/files-privacybreach/debian/debian/install
+++ b/t/tests/files-privacybreach/debian/debian/install
@@ -1 +1,3 @@
src/*.js /usr/share/javascript/
+src/*.xml /usr/share/htmlfragment/
+src/*.html /usr/share/file-privacybreach/html
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/applet.html b/t/tests/files-privacybreach/debian/src/applet.html
new file mode 100644
index 0000000..866d63a
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/applet.html
@@ -0,0 +1,5 @@
+<html>
+<body>
+<applet width=1 height=1 code="MyClass" type="application/x-java-applet;jpi-version=6" archive="myjar.jar" codebase="http://1984.os/trackme" />
+</body>
+</html>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/div.html b/t/tests/files-privacybreach/debian/src/div.html
new file mode 100644
index 0000000..6d703db
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/div.html
@@ -0,0 +1,9 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+ <script src="DIV_SRC.js" language="JavaScript1.2"></script>
+ <body onLoad='DIV_SRC.resolve({debug : 1, tags : ["div", "span"]})'>
+ <div src="http://trackme.1984/index-2.html">
+ Please enable javascript to track me.
+ </div>
+ </body>
+</html>
diff --git a/t/tests/files-privacybreach/debian/src/embed.html b/t/tests/files-privacybreach/debian/src/embed.html
new file mode 100644
index 0000000..43382dd
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/embed.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<body>
+
+<embed src="helloworld.swf" />
+<embed src="http://1984.os/givemydata.swf" />
+
+</body>
+</html>
diff --git a/t/tests/files-privacybreach/debian/src/externalimg.xml b/t/tests/files-privacybreach/debian/src/externalimg.xml
new file mode 100644
index 0000000..79b7a51
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/externalimg.xml
@@ -0,0 +1 @@
+<img src="http://1984.ow/bigbrotheriswatchingyou.png" alt="Google" width="56" height="20" />
diff --git a/t/tests/files-privacybreach/debian/src/frame.html b/t/tests/files-privacybreach/debian/src/frame.html
new file mode 100644
index 0000000..d08ca35
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/frame.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+
+<frameset cols="25%,*,25%">
+ <!-- valid -->
+ <frame src="frame_a.htm">
+ <!-- valid -->
+ <frame src="file://frame_b.htm">
+ <frame src="http://1984.os/trackme_frame_c.htm">
+</frameset>
+</html>
diff --git a/t/tests/files-privacybreach/debian/src/iframe.html b/t/tests/files-privacybreach/debian/src/iframe.html
new file mode 100644
index 0000000..20390b3
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/iframe.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<body>
+
+<iframe src="http://1984.ow/bigbrotheriswatchingyou.html">
+ <p>Your browser does not support iframes.</p>
+</iframe>
+</body>
+</html>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/input.html b/t/tests/files-privacybreach/debian/src/input.html
new file mode 100644
index 0000000..1b3d6d6
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/input.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<body>
+<form action="trackme.php">
+ Account number: <input type="text" name="fname"><br>
+ <input type="image" src="http://1984.os/hiddentrackme.png" alt="Submit" width="48" height="48">
+</form>
+</body>
+</html>
diff --git a/t/tests/files-privacybreach/debian/src/object.html b/t/tests/files-privacybreach/debian/src/object.html
new file mode 100644
index 0000000..291616a
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/object.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<body>
+
+<object width="400" height="400" data="helloworld.swf"></object>
+<object width="400" height="400" data="https://1984.os/hellotrackme.swf" />
+</body>
+</html>
+
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/source.html b/t/tests/files-privacybreach/debian/src/source.html
new file mode 100644
index 0000000..1ebdf23
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/source.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body>
+<audio controls>
+<source src="tux.ogg" type="audio/ogg">
+<source src="https://1984.os/tracking.mp3" type="audio/mpeg">
+Your browser does not support audio
+</audio>
+</body>
+</html>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/track.html b/t/tests/files-privacybreach/debian/src/track.html
new file mode 100644
index 0000000..1e060b4
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/track.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body>
+<video width="320" height="240" controls>
+ <source src="tux.mp4" type="video/mp4">
+ <source src="tux.ogg" type="video/ogg">
+ <track src="en.vtt" kind="subtitles" srclang="en" label="English">
+ <track src="http://1984.os/notracking.vtt" kind="subtitles" srclang="no" label="Norwegian">
+</video>
+</body>
+</html>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/video.html b/t/tests/files-privacybreach/debian/src/video.html
new file mode 100644
index 0000000..3633180
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/video.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<video width="320" height="240" src="ftp://1984.os/tuxistrackingme.ogg" />
+</video>
+</body>
+</html>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/videoposter.html b/t/tests/files-privacybreach/debian/src/videoposter.html
new file mode 100644
index 0000000..18df2eb
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/videoposter.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<video width="320" height="240" src="tux.ogg" poster="ftp://1984.os/tuxistrackingme.ogg" />
+</video>
+</body>
+</html>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index b84d04b..c877f1f 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -3,4 +3,15 @@ E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsen
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwik.js
E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwikvariant.js
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/applet.html 1984.os/trackme
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/div.html trackme.1984/index-2.html
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/embed.html 1984.os/givemydata.swf
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/frame.html 1984.os/trackme_frame_c.htm
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/iframe.html 1984.ow/bigbrotheriswatchingyou.html
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/input.html 1984.os/hiddentrackme.png
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/source.html 1984.os/tracking.mp3
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/track.html 1984.os/notracking.vtt
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/video.html 1984.os/tuxistrackingme.ogg
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/videoposter.html 1984.os/tuxistrackingme.ogg
+X: files-privacybreach: privacy-breach-generic usr/share/htmlfragment/externalimg.xml 1984.ow/bigbrotheriswatchingyou.png
X: files-privacybreach: privacy-breach-generic usr/share/javascript/genericwebsite.js www.example.com/trackme.js
--
1.7.10.4
From 5abd22717f934d40cad5ca59a77c865fa9a9e0c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Fri, 9 Aug 2013 21:44:56 +0200
Subject: [PATCH 6/9] Add google cse to privacy breach
Google search engine script are privacy breach.
Detect it.
---
checks/files.desc | 7 +++
checks/files.pm | 64 ++++++++++++++++++--
.../files-privacybreach/debian/src/googlecse.xml | 9 +++
.../debian/src/googlecseform.xml | 20 ++++++
t/tests/files-privacybreach/desc | 1 +
t/tests/files-privacybreach/tags | 2 +
6 files changed, 97 insertions(+), 6 deletions(-)
create mode 100644 t/tests/files-privacybreach/debian/src/googlecse.xml
create mode 100644 t/tests/files-privacybreach/debian/src/googlecseform.xml
diff --git a/checks/files.desc b/checks/files.desc
index f710ada..77abb84 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -922,6 +922,13 @@ Info: This package create a privacy breach by fetching some data from
Please remove this script.
Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense
+Tag: privacy-breach-google-cse
+Severity: important
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ google search engine and feed some private data to google.
+ Please remove these scripts.
+
Tag: privacy-breach-piwik
Severity: important
Certainty: possible
diff --git a/checks/files.pm b/checks/files.pm
index fe70980..8a72825 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1016,9 +1016,19 @@ foreach my $file ($info->sorted_index) {
$line =~ m,\@import \s+ url\( \s* "(?:https?|ftp)://(?'website'[^"]*?)" \s* \),x)
{
my $website=$+{website};
- unless (exists $privacybreachhash{'generic-'.$website}) {
- tag 'privacy-breach-generic', $file, $website;
- $privacybreachhash{'generic-'.$website} = 1;
+ given ($website) {
+ when (m,cse/api/branding.css$,) {
+ unless (exists $privacybreachhash{'google-cse'}) {
+ tag 'privacy-breach-google-cse', $file;
+ $privacybreachhash{'google-cse'} = 1;
+ }
+ }
+ default {
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
}
}
}
@@ -1030,12 +1040,20 @@ foreach my $file ($info->sorted_index) {
open(my $fd, '<', $info->unpacked($file));
my %privacybreachhash = ();
while (my $line = <$fd>) {
+ # google adds
if($line =~ m,google_ad_client\s*=,) {
unless (exists $privacybreachhash{'google-adsense'}) {
tag 'privacy-breach-google-adsense', $file;
$privacybreachhash{'google-adsense'} = 1;
}
}
+ # google cse
+ if ($line =~ m,googleSearchDomain\s*=,) {
+ unless (exists $privacybreachhash{'google-cse'}) {
+ tag 'privacy-breach-google-cse', $file;
+ $privacybreachhash{'google-cse'} = 1;
+ }
+ }
# piwik
if($line =~ m,piwik_url\s*=, or
$line =~ m,pkBaseURL\s*=, or
@@ -1051,9 +1069,19 @@ foreach my $file ($info->sorted_index) {
$line =~ m,\@import \s+ url\( \s* "(?:https?|ftp)://(?'website'[^"]*?)" \s* \),x)
{
my $website=$+{website};
- unless (exists $privacybreachhash{'generic-'.$website}) {
- tag 'privacy-breach-generic', $file, $website;
- $privacybreachhash{'generic-'.$website} = 1;
+ given ($website) {
+ when (m,cse/api/branding.css$,) {
+ unless (exists $privacybreachhash{'google-cse'}) {
+ tag 'privacy-breach-google-cse', $file;
+ $privacybreachhash{'google-cse'} = 1;
+ }
+ }
+ default {
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
}
}
# According to html norm src attribute is used by tags:
@@ -1076,6 +1104,12 @@ foreach my $file ($info->sorted_index) {
$privacybreachhash{'google-adsense'} = 1;
}
}
+ when (m,google\.com/afsonline/show_afs_search\.js$, and $tagattr eq 'script') {
+ unless (exists $privacybreachhash{'google-cse'}) {
+ tag 'privacy-breach-google-cse', $file;
+ $privacybreachhash{'google-cse'} = 1;
+ }
+ }
when (m,piwik.php\?,) {
unless (exists $privacybreachhash{'piwik'}) {
tag 'privacy-breach-piwik', $file;
@@ -1132,6 +1166,24 @@ foreach my $file ($info->sorted_index) {
$privacybreachhash{'generic-'.$website} = 1;
}
}
+ # div class known for privacy breaking
+ if ($line =~ m,<
+ div
+ (:?\s+ [^>]*?)? \s+
+ class \s* = \s*"
+ (?'classattr'[^"]*?)"
+ [^>]*?
+ >,xi) {
+ my $classattr=$+{classattr};
+ given ($classattr) {
+ when (m,^cse-branding,) {
+ unless (exists $privacybreachhash{'google-cse'}) {
+ tag 'privacy-breach-google-cse', $file;
+ $privacybreachhash{'google-cse'} = 1;
+ }
+ }
+ }
+ }
}
close($fd);
}
diff --git a/t/tests/files-privacybreach/debian/src/googlecse.xml b/t/tests/files-privacybreach/debian/src/googlecse.xml
new file mode 100644
index 0000000..bdbd2ed
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/googlecse.xml
@@ -0,0 +1,9 @@
+<div id="cse-search-results"></div>
+<script type="text/javascript">
+var googleSearchIframeName = "cse-search-results";
+var googleSearchFormName = "cse-search-box";
+var googleSearchFrameWidth = 600;
+var googleSearchDomain = "www.google.com";
+var googleSearchPath = "/cse";
+</script>
+<script type="text/javascript" src="http://www.google.com/afsonline/show_afs_search.js"></script>
diff --git a/t/tests/files-privacybreach/debian/src/googlecseform.xml b/t/tests/files-privacybreach/debian/src/googlecseform.xml
new file mode 100644
index 0000000..c65c529
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/googlecseform.xml
@@ -0,0 +1,20 @@
+<!-- example from pstoedit -->
+<div class="cse-branding-bottom" style="background-color:#FFFFFF;color:#000000">
+<div class="cse-branding-form">
+<form action="http://www.helga-glunz.homepage.t-online.de/pstoedit/" id="cse-search-box">
+<div>
+<input type="hidden" name="cx" value="partner-pub-2239328204426644:3mybph-3n0p" />
+<input type="hidden" name="cof" value="FORID:10" />
+<input type="hidden" name="ie" value="ISO-8859-1" />
+<input type="text" name="q" size="31" />
+<input type="submit" name="sa" value="Search" />
+</div>
+</form>
+</div>
+<div class="cse-branding-logo">
+<img src="poweredby_FFFFFF.gif" alt="Google" width="56" height="20" />
+</div>
+<div class="cse-branding-text">
+Custom Search
+</div>
+</div>
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
index 2f00722..6cc3a81 100644
--- a/t/tests/files-privacybreach/desc
+++ b/t/tests/files-privacybreach/desc
@@ -5,4 +5,5 @@ Description: Check for different html privacy breach
Test-For:
privacy-breach-generic
privacy-breach-google-adsense
+ privacy-breach-google-cse
privacy-breach-piwik
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index 81f4df2..f5cfbf3 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -1,6 +1,8 @@
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
+E: files-privacybreach: privacy-breach-google-cse usr/share/htmlfragment/googlecse.xml
+E: files-privacybreach: privacy-breach-google-cse usr/share/htmlfragment/googlecseform.xml
E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwik.js
E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwikvariant.js
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/applet.html 1984.os/trackme
--
1.7.10.4
From ad2d3efe1f525103b627e101aaf9ae0b92301bf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Fri, 9 Aug 2013 21:59:18 +0200
Subject: [PATCH 7/9] Add paypal detection to privacy breach
---
checks/files.desc | 7 +++++++
checks/files.pm | 6 ++++++
t/tests/files-privacybreach/debian/src/paypal.xml | 9 +++++++++
t/tests/files-privacybreach/desc | 2 ++
t/tests/files-privacybreach/tags | 1 +
5 files changed, 25 insertions(+)
create mode 100644 t/tests/files-privacybreach/debian/src/paypal.xml
diff --git a/checks/files.desc b/checks/files.desc
index 77abb84..5876069 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -929,6 +929,13 @@ Info: This package create a privacy breach by fetching some data from
google search engine and feed some private data to google.
Please remove these scripts.
+Tag: privacy-breach-paypal
+Severity: important
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ paypal.
+ Please remove these scripts.
+
Tag: privacy-breach-piwik
Severity: important
Certainty: possible
diff --git a/checks/files.pm b/checks/files.pm
index 8a72825..612ecb8 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1110,6 +1110,12 @@ foreach my $file ($info->sorted_index) {
$privacybreachhash{'google-cse'} = 1;
}
}
+ when (m,www\.paypal(?:objects)?\.com/, and $tagattr =~ m,(?:img|input),i) {
+ unless (exists $privacybreachhash{'paypal'}) {
+ tag 'privacy-breach-paypal', $file;
+ $privacybreachhash{'paypal'} = 1;
+ }
+ }
when (m,piwik.php\?,) {
unless (exists $privacybreachhash{'piwik'}) {
tag 'privacy-breach-piwik', $file;
diff --git a/t/tests/files-privacybreach/debian/src/paypal.xml b/t/tests/files-privacybreach/debian/src/paypal.xml
new file mode 100644
index 0000000..fd40b1f
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/paypal.xml
@@ -0,0 +1,9 @@
+<!-- from pstoedit -->
+<h1><a name="Donations">Donations</a></h1>
+Donations to the pstoedit project are welcome and can be done easily here:
+<form target="_blank" action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_s-xclick">
+<input type="hidden" name="hosted_button_id" value="2HSK5PN3TPCH8">
+<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
+<img alt="" border="0" src="https://www.paypalobjects.com/de_DE/i/scr/pixel.gif" width="1" height="1">
+</form>
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
index 6cc3a81..21e2df8 100644
--- a/t/tests/files-privacybreach/desc
+++ b/t/tests/files-privacybreach/desc
@@ -6,4 +6,6 @@ Test-For:
privacy-breach-generic
privacy-breach-google-adsense
privacy-breach-google-cse
+ privacy-breach-paypal
privacy-breach-piwik
+
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index f5cfbf3..d077e2f 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -3,6 +3,7 @@ E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsen
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
E: files-privacybreach: privacy-breach-google-cse usr/share/htmlfragment/googlecse.xml
E: files-privacybreach: privacy-breach-google-cse usr/share/htmlfragment/googlecseform.xml
+E: files-privacybreach: privacy-breach-paypal usr/share/htmlfragment/paypal.xml
E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwik.js
E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwikvariant.js
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/applet.html 1984.os/trackme
--
1.7.10.4
From 89d30c2e3158a15d77c95ced9476099491de5b78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Fri, 9 Aug 2013 20:20:33 +0200
Subject: [PATCH 5/9] Add detection of tracking by css
Detect tracking by fetching @import url directive.
---
checks/files.pm | 28 ++++++++++++++++++++
t/tests/files-privacybreach/debian/debian/install | 3 ++-
t/tests/files-privacybreach/debian/src/import.css | 2 ++
.../files-privacybreach/debian/src/importcss.html | 9 +++++++
t/tests/files-privacybreach/tags | 2 ++
5 files changed, 43 insertions(+), 1 deletion(-)
create mode 100644 t/tests/files-privacybreach/debian/src/import.css
create mode 100644 t/tests/files-privacybreach/debian/src/importcss.html
diff --git a/checks/files.pm b/checks/files.pm
index ac3728d..fe70980 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1007,6 +1007,24 @@ foreach my $file ($info->sorted_index) {
}
}
+ # ---------------- css file
+ if ($file =~ m,\.css$,i) {
+ open(my $fd, '<', $info->unpacked($file));
+ my %privacybreachhash = ();
+ while (my $line = <$fd>) {
+ if ($line =~ m,\@import \s+ "(?:https?|ftp)://(?'website'[^"]*?)",x or
+ $line =~ m,\@import \s+ url\( \s* "(?:https?|ftp)://(?'website'[^"]*?)" \s* \),x)
+ {
+ my $website=$+{website};
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
+ }
+ close($fd);
+ }
+
# ---------------- html file or fragment
if ($file =~ m,\.(?:x?html?|js|xht|xml)$,i) {
open(my $fd, '<', $info->unpacked($file));
@@ -1028,6 +1046,16 @@ foreach my $file ($info->sorted_index) {
$privacybreachhash{'piwik'} = 1;
}
}
+ # css (keep in sync with previous section)
+ if ($line =~ m,\@import \s+ "(?:https?|ftp)://(?'website'[^"]*?)",x or
+ $line =~ m,\@import \s+ url\( \s* "(?:https?|ftp)://(?'website'[^"]*?)" \s* \),x)
+ {
+ my $website=$+{website};
+ unless (exists $privacybreachhash{'generic-'.$website}) {
+ tag 'privacy-breach-generic', $file, $website;
+ $privacybreachhash{'generic-'.$website} = 1;
+ }
+ }
# According to html norm src attribute is used by tags:
# audio(v5+), embed (v5+), iframe (v4), frame, img, input, script, source, track(v5), video (v5)
# Add other tags with src due to some javascript code:
diff --git a/t/tests/files-privacybreach/debian/debian/install b/t/tests/files-privacybreach/debian/debian/install
index 1cb29f3..f18025c 100644
--- a/t/tests/files-privacybreach/debian/debian/install
+++ b/t/tests/files-privacybreach/debian/debian/install
@@ -1,3 +1,4 @@
src/*.js /usr/share/javascript/
src/*.xml /usr/share/htmlfragment/
-src/*.html /usr/share/file-privacybreach/html
\ No newline at end of file
+src/*.html /usr/share/file-privacybreach/html
+src/*.css /usr/share/file-privacybreach/html
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/import.css b/t/tests/files-privacybreach/debian/src/import.css
new file mode 100644
index 0000000..9b6f743
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/import.css
@@ -0,0 +1,2 @@
+@import url("http://1984.wo/importtracking.css");
+p { color : #fff; }
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/importcss.html b/t/tests/files-privacybreach/debian/src/importcss.html
new file mode 100644
index 0000000..d060248
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/importcss.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<body>
+<style type="text/css">
+ @import url("import1.css");
+ @import url("http://trackme.css/track.css");
+</style>
+</body>
+</html>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index c877f1f..81f4df2 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -8,6 +8,8 @@ X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/embed.html 1984.os/givemydata.swf
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/frame.html 1984.os/trackme_frame_c.htm
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/iframe.html 1984.ow/bigbrotheriswatchingyou.html
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/import.css 1984.wo/importtracking.css
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/importcss.html trackme.css/track.css
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/input.html 1984.os/hiddentrackme.png
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/source.html 1984.os/tracking.mp3
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/track.html 1984.os/notracking.vtt
--
1.7.10.4
From 9cadee321ee2a6e2700a4b704821077867e4b13c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Sat, 10 Aug 2013 12:52:35 +0200
Subject: [PATCH 8/9] Add privacy breach detection of facebook
---
checks/files.desc | 7 ++++
checks/files.pm | 41 ++++++++++++++++++++
.../files-privacybreach/debian/src/facebook.xml | 2 +
.../debian/src/facebookfbmlbody2008.html | 6 +++
.../debian/src/facebookfbmlbody2013.html | 5 +++
.../debian/src/facebookhtml5like20130810.xml | 1 +
.../debian/src/facebookhtml5likebody20130810.xml | 8 ++++
.../debian/src/facebookxfbmllike20130810.xml | 1 +
t/tests/files-privacybreach/desc | 1 +
t/tests/files-privacybreach/tags | 6 +++
10 files changed, 78 insertions(+)
create mode 100644 t/tests/files-privacybreach/debian/src/facebook.xml
create mode 100644 t/tests/files-privacybreach/debian/src/facebookfbmlbody2008.html
create mode 100644 t/tests/files-privacybreach/debian/src/facebookfbmlbody2013.html
create mode 100644 t/tests/files-privacybreach/debian/src/facebookhtml5like20130810.xml
create mode 100644 t/tests/files-privacybreach/debian/src/facebookhtml5likebody20130810.xml
create mode 100644 t/tests/files-privacybreach/debian/src/facebookxfbmllike20130810.xml
diff --git a/checks/files.desc b/checks/files.desc
index 5876069..3779976 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -929,6 +929,13 @@ Info: This package create a privacy breach by fetching some data from
google search engine and feed some private data to google.
Please remove these scripts.
+Tag: privacy-breach-facebook
+Severity: important
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ facebook like share or like buttons.
+ Please remove these scripts or frames.
+
Tag: privacy-breach-paypal
Severity: important
Certainty: possible
diff --git a/checks/files.pm b/checks/files.pm
index 612ecb8..efe0c7d 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1040,6 +1040,17 @@ foreach my $file ($info->sorted_index) {
open(my $fd, '<', $info->unpacked($file));
my %privacybreachhash = ();
while (my $line = <$fd>) {
+ # facebook using often used js api name, fbxml declaration or xfbml tag
+ if ($line =~ m,facebook-jssdk, or
+ $line =~ m,FB\.(?:Canvas|api|init|login|getLoginStatus|Event|ui|XFBML), or
+ $line =~ m,xmlns:fb \s* = \s* "https?://www\.facebook\.com/20\d\d/fbml",x or
+ $line =~ m,xmlns:fb \s* = \s* "https?://ogp\.me/ns/fb,x or
+ $line =~ m,</?fb:(?:activity|comments|friendpile|like|like-box|login-button|name|profile-pic|recommendations) \s+ [^>]* > ,x) {
+ unless (exists $privacybreachhash{'facebook'}) {
+ tag 'privacy-breach-facebook', $file;
+ $privacybreachhash{'facebook'} = 1;
+ }
+ }
# google adds
if($line =~ m,google_ad_client\s*=,) {
unless (exists $privacybreachhash{'google-adsense'}) {
@@ -1098,6 +1109,12 @@ foreach my $file ($info->sorted_index) {
my $website=$+{website};
my $tagattr=$+{tagattr};
given ($website) {
+ when (m,[^\.]+\.facebook\.com/,) {
+ unless (exists $privacybreachhash{'facebook'}) {
+ tag 'privacy-breach-facebook', $file;
+ $privacybreachhash{'facebook'} = 1;
+ }
+ }
when (m,googlesyndication\.com/pagead/show_ads\.js$, and $tagattr eq 'script') {
unless (exists $privacybreachhash{'google-adsense'}) {
tag 'privacy-breach-google-adsense', $file;
@@ -1182,6 +1199,12 @@ foreach my $file ($info->sorted_index) {
>,xi) {
my $classattr=$+{classattr};
given ($classattr) {
+ when (m,^fb-(?:activity|comments|friendpile|like|like-box|login-button|name|profile-pic|recommendations)$,) {
+ unless (exists $privacybreachhash{'facebook'}) {
+ tag 'privacy-breach-facebook', $file;
+ $privacybreachhash{'facebook'} = 1;
+ }
+ }
when (m,^cse-branding,) {
unless (exists $privacybreachhash{'google-cse'}) {
tag 'privacy-breach-google-cse', $file;
@@ -1190,6 +1213,24 @@ foreach my $file ($info->sorted_index) {
}
}
}
+ # div id known for privacy breaking
+ if ($line =~ m,<
+ div
+ (:?\s+ [^>]*?)? \s+
+ id \s* = \s*"
+ (?'idattr'[^"]*?)"
+ [^>]*?
+ >,xi) {
+ my $idattr=$+{idattr};
+ given ($idattr) {
+ when (m,'^fb-(?:like|root)$',) {
+ unless (exists $privacybreachhash{'facebook'}) {
+ tag 'privacy-breach-facebook', $file;
+ $privacybreachhash{'facebook'} = 1;
+ }
+ }
+ }
+ }
}
close($fd);
}
diff --git a/t/tests/files-privacybreach/debian/src/facebook.xml b/t/tests/files-privacybreach/debian/src/facebook.xml
new file mode 100644
index 0000000..87aef41
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/facebook.xml
@@ -0,0 +1,2 @@
+<!-- from pstoedit -->
+<iframe src="http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fpages%2Fpstoedit%2F260606183958062&width=329&colorscheme=light&show_faces=false&border_color&stream=false&header=false&height=62" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:229px; height:62px;" allowTransparency="true"></iframe>
diff --git a/t/tests/files-privacybreach/debian/src/facebookfbmlbody2008.html b/t/tests/files-privacybreach/debian/src/facebookfbmlbody2008.html
new file mode 100644
index 0000000..2da7e80
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/facebookfbmlbody2008.html
@@ -0,0 +1,6 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml:lang="en" lang="en">
+<body>
+</body>
+</html>
+
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/facebookfbmlbody2013.html b/t/tests/files-privacybreach/debian/src/facebookfbmlbody2013.html
new file mode 100644
index 0000000..cc1d3c1
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/facebookfbmlbody2013.html
@@ -0,0 +1,5 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://ogp.me/ns/fb#" xml:lang="en" lang="en">
+<body>
+</body>
+</html>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/facebookhtml5like20130810.xml b/t/tests/files-privacybreach/debian/src/facebookhtml5like20130810.xml
new file mode 100644
index 0000000..47ae78b
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/facebookhtml5like20130810.xml
@@ -0,0 +1 @@
+<div class="fb-like" data-href="http://developers.facebook.com/docs/reference/plugins/like" data-width="450" data-show-faces="true" data-send="true"></div>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/facebookhtml5likebody20130810.xml b/t/tests/files-privacybreach/debian/src/facebookhtml5likebody20130810.xml
new file mode 100644
index 0000000..7787375
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/facebookhtml5likebody20130810.xml
@@ -0,0 +1,8 @@
+<div id="fb-root"></div>
+<script>(function(d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (d.getElementById(id)) return;
+ js = d.createElement(s); js.id = id;
+ js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
+ fjs.parentNode.insertBefore(js, fjs);
+ }(document, 'script', 'facebook-jssdk'));</script>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/debian/src/facebookxfbmllike20130810.xml b/t/tests/files-privacybreach/debian/src/facebookxfbmllike20130810.xml
new file mode 100644
index 0000000..3394707
--- /dev/null
+++ b/t/tests/files-privacybreach/debian/src/facebookxfbmllike20130810.xml
@@ -0,0 +1 @@
+<fb:like href="http://developers.facebook.com/docs/reference/plugins/like" width="450" show_faces="true" send="true"></fb:like>
\ No newline at end of file
diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc
index 21e2df8..547f697 100644
--- a/t/tests/files-privacybreach/desc
+++ b/t/tests/files-privacybreach/desc
@@ -6,6 +6,7 @@ Test-For:
privacy-breach-generic
privacy-breach-google-adsense
privacy-breach-google-cse
+ privacy-breach-facebook
privacy-breach-paypal
privacy-breach-piwik
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index d077e2f..ac6b28c 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -1,3 +1,9 @@
+E: files-privacybreach: privacy-breach-facebook usr/share/file-privacybreach/html/facebookfbmlbody2008.html
+E: files-privacybreach: privacy-breach-facebook usr/share/file-privacybreach/html/facebookfbmlbody2013.html
+E: files-privacybreach: privacy-breach-facebook usr/share/htmlfragment/facebook.xml
+E: files-privacybreach: privacy-breach-facebook usr/share/htmlfragment/facebookhtml5like20130810.xml
+E: files-privacybreach: privacy-breach-facebook usr/share/htmlfragment/facebookhtml5likebody20130810.xml
+E: files-privacybreach: privacy-breach-facebook usr/share/htmlfragment/facebookxfbmllike20130810.xml
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js
E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js
--
1.7.10.4
From 016616a917c64e3f7a0ecd75763741dcc39b2790 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Sat, 10 Aug 2013 15:01:36 +0200
Subject: [PATCH 9/9] Add https to object tracking
Add https method to object tracking.
---
checks/files.pm | 2 +-
t/tests/files-privacybreach/tags | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/checks/files.pm b/checks/files.pm
index efe0c7d..11b9e8e 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1166,7 +1166,7 @@ foreach my $file ($info->sorted_index) {
object
(:?\s+ [^>]*?)? \s+
data \s* = \s*"
- (?:http|ftp)://(?'website'[^"]*?)"
+ (?:https?|ftp)://(?'website'[^"]*?)"
[^>]*?
>,xi) {
my $website=$+{website};
diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags
index ac6b28c..5b10321 100644
--- a/t/tests/files-privacybreach/tags
+++ b/t/tests/files-privacybreach/tags
@@ -20,6 +20,7 @@ X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/import.css 1984.wo/importtracking.css
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/importcss.html trackme.css/track.css
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/input.html 1984.os/hiddentrackme.png
+X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/object.html 1984.os/hellotrackme.swf
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/source.html 1984.os/tracking.mp3
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/track.html 1984.os/notracking.vtt
X: files-privacybreach: privacy-breach-generic usr/share/file-privacybreach/html/video.html 1984.os/tuxistrackingme.ogg
--
1.7.10.4
Reply to: