[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#898822: [RFC] Detect data embeded image in html like file

On Wed, May 16, 2018 at 4:00 PM, Bastien ROUCARIES
<roucaries.bastien@gmail.com> wrote:
> On Wed, May 16, 2018 at 11:33 AM, Chris Lamb <lamby@debian.org> wrote:
>> retitle 898822 Detect data encoded/embedded in HTML "Data" URI schemes
>> severity 898822 wishlist
>> tags 898822 + moreinfo
>> thanks
>>
>> Hi Bastien,
>>
>> [..]
>>
>> I think some concrete examples here would be useful in triaging/
>> prioritising this, as well as working out whether it is feasible or
>> sensible :)
> Code search with request
> (https://codesearch.debian.net/search?q=src%3D%22data%3A&page=1&perpkg=1)
> give 75 packages affected:
> asciidoctor
> cacti
> chemical-structures
> chromium-browser
> ckeditor
> classified-ads
> diffoscope
> edbrowse
> firefox
> firefox-esr
> fontforge
> fossil
> gitinspector
> golang-github-microcosm-cc-bluemonday
> html5lib
> icingaweb2
> ikiwiki
> ipython
> jmol
> juli
> kmplayer
> kopano-webapp
> landslide
> libcgi-application-plugin-dbiprofile-perl
> libxml-atom-fromowl-perl
> libxml-atom-owl-perl
> lua-apr
> matplotlib
> mayavi2
> mediawiki
> nbconvert
> node-normalize.css
> notmuch
> oca-core
> openlp
> opennebula
> openscad
> pandoc
> php-doctrine-bundle
> php-getid3
> php-kdyby-events
> phpmyadmin
> python-cartopy
> python-darkslide
> python-mne
> python-pweave
> python-pydub
> python-pyqrcode
> python-qtconsole
> qtwebengine-opensource-src
> rails
> rapid-photo-downloader
> r-cran-knitr
> r-cran-repr
> r-cran-rmarkdown
> rdkit
> request-tracker4
> roundcube
> rss-bridge
> rubocop
> sagemath
> sass-spec
> simplesamlphp
> spip
> sympa
> thunderbird
> trac
> turbogears2-doc
> veusz
> virtuoso-opensource
> vistrails
> woo
> xhtml2pdf
> yt
> zotero-standalone-build
>
> Some are clearly abuse see:
> 1. https://sources.debian.org/src/chemical-structures/2.2.dfsg.0-12/debian/patches/privacy.patch/?hl=10#L10
> (render package undistributable one of sourceforge logo)
> 2. https://codesearch.debian.net/show?file=lua-apr_0.23.2.dfsg-4%2Fsrc%2Fbase64.c&line=33
> FTBFS not prefered modification source
> 3. https://sources.debian.org/src/rubocop/0.52.1+dfsg-1/debian/patches/04-adjust-tests-due-to-rubocop-logo-removal-from-package.diff/?hl=25#L25
> (remove logo as file not as included base64 => RC undistributable)
> 4.https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/debian/patches/2003_avoid_privacy_breach.patch/?hl=59#L59
> Border line could use the same trick that I have done in
> libjs-normalize.css to generate with js the image (not prefered source
> of modification)
>
> I have not checked all the package.
>
> another risk is to carry forbidden image like porn of think like this
> is this stuff. I prefer lintian to signal pedantically in order to
> manually check acceptance.
>
> Better safe than sorry

This request is also interesting:
https://codesearch.debian.net/search?q=href%3D%22data%3A&perpkg=1&page=1

>
> Bastien
>
>
>>
>> Best wishes,
>>
>> --
>>       ,''`.
>>      : :'  :     Chris Lamb
>>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>>        `-
Reply to: