Bug#907667: marked as done (lintian: should html escape output if --color=html is used)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 06 Sep 2018 14:48:41 +0000
with message-id <E1fxvaL-0001KN-4r@fasolo.debian.org>
and subject line Bug#907667: fixed in lintian 2.5.100
has caused the Debian Bug report #907667,
regarding lintian: should html escape output if --color=html is used
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
907667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907667
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: lintian: should html escape output if --color=html is used
• From: James Cowgill <jcowgill@debian.org>
• Date: Fri, 31 Aug 2018 00:08:37 +0100
• Message-id: <8a11cd54-b508-c3b7-4e55-8c089796e800@debian.org>

Package: lintian
Version: 2.5.99
Severity: important
X-Debbugs-CC: ftpmaster@ftp-master.debian.org
X-Debbugs-CC: debian-admin@lists.debian.org

Hi,

Lintian does not html escape tag information when --color=html is used.
I noticed this after browsing a few packages in the NEW queue which have
broken stylesheets. Current examples:
https://ftp-master.debian.org/new/displaycal_3.6.1.0-1.html
https://ftp-master.debian.org/new/json-editor.js_0.7.28+ds-1.html

When generating those pages, dak passes --color=html to lintian and does
not escape the output (because that would escape the span tags). In this
case some privacy-breach-generic tags contained <link rel="stylesheet"
tags in their information which get emitted into the above pages.
Browsers then proceed to load these stylesheets from foreign websites.

It seems to me the best option is to have lintian html escape everything
if --color=html is in use, otherwise --color=html cannot be used safely.

Example broken lintian output:
> $ lintian --color=html libjs-json-editor_0.7.28+ds-1_all.deb
> W: libjs-json-editor: <span style="color: yellow">privacy-breach-generic</span> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<link rel="stylesheet" href="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css">] (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css)
> W: libjs-json-editor: <span style="color: yellow">privacy-breach-generic</span> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<link rel="stylesheet" href="//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css">] (//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css)
> W: libjs-json-editor: <span style="color: yellow">privacy-breach-generic</span> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<script src="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.bbcode.min.js">] (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.bbcode.min.js)
> W: libjs-json-editor: <span style="color: yellow">privacy-breach-generic</span> ... use --no-tag-display-limit to see all (or pipe to a file/program)

An an aside, I see that ftp-master.debian.org sets the non-standard
X-Xss-Protection HTTP header which might? mitigate this on some
browsers. Notably Firefox completely ignores this header and instead
requires you to use Content-Security-Policy to get XSS protection, so
setting that might be a good idea (although setting this "globally" will
almost certainly break stuff). I've CCed the DSA team since I guess they
manage this.

James

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: 907667-close@bugs.debian.org
• Subject: Bug#907667: fixed in lintian 2.5.100
• From: Chris Lamb <lamby@debian.org>
• Date: Thu, 06 Sep 2018 14:48:41 +0000
• Message-id: <E1fxvaL-0001KN-4r@fasolo.debian.org>

Source: lintian
Source-Version: 2.5.100

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 907667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 06 Sep 2018 12:09:56 +0000
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.100
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 lintian    - Debian package checker
Closes: 907578 907620 907667 907681 907836 907845 907870
Changes:
 lintian (2.5.100) unstable; urgency=medium
 .
   * Summary of tag changes:
     + Added:
       - obsolete-runtime-tests-restriction
       - package-contains-python-dot-directory
       - skip-systemd-native-flag-missing-pre-depends
       - vcs-obsolete-in-debian-infrastructure
     + Removed:
       - vcs-deprecated-in-debian-infrastructure
 .
   * checks/control-file.{desc.pm}:
     + [CL] Don't check the .dsc for "XS-Autobuild"; check the control file
       itself.  This fixes source-only-upload-to-non-free-without-autobuild.
       (Closes: #907681)
   * checks/debhelper.pm:
     + [CL] Also check override_dh_systemd_<action>-arch and -indep for
       debian-rules-uses-deprecated-systemd-override.  (Closes: #907845)
   * checks/fields.{desc.pm}:
     + [CL] Rename vcs-deprecated-in-debian-infrastructure and update the
       documentation to match.  (Closes: #907578)
   * checks/scripts.{desc.pm}:
     + [CL] Check for "invoke-rc.d --skip-systemd-native" without a suitable
       Pre-Depends.  (Closes: #907836)
   * checks/testsuite.{desc,pm}:
     + [CL] Don't emit unknown-runtime-tests-feature for autopkgtest
       "Features:" entries that use the "test-name=foo" nomenclature.
       (Closes: #907620)
     + [CL] Apply patch from Paul Gevers to emit warnings for deprecated
       test features.
 .
   * data/files/fnames:
     + [CL] Check for "dot" directories in Python packaging such as
       ".cache", etc; they are usually an error.  (Closes: #907870)
   * data/spelling/corrections:
     + [PW] Add a number of corrections.
   * data/testsuite/known-restrictions:
     + [CL] Apply patch from Paul Gevers to add hint-testsuite-triggers and
       skip-not-installable to the list of known autopkgtest restrictions.
 .
   * lib/Lintian/Output.pm:
     + [CL] Escape output if --color=html is used.  This prevents browsers
       loading images/stylesheets from foreign websites that are part of
       warning messages.  (Closes: #907667)
 .
   * Miscellaneous:
     + [CL] Apply patch Daniele Forsi fixing a large number of typos in the
       codebase, documentation, etc.
     + [CL] Update tests to support dash 0.5.10.2.
Checksums-Sha1:
 345bea6757250d746a11a41251d350ef7f8cc620 3542 lintian_2.5.100.dsc
 a6ee35866222124a3b4e661ed00d91f90499bf65 1584776 lintian_2.5.100.tar.xz
 6a8c9dbfc553af8ccab3fd2b695eba907c7791f8 1132756 lintian_2.5.100_all.deb
 9623eeb094c659aeffbe93fdeed18692e51d9873 16223 lintian_2.5.100_amd64.buildinfo
Checksums-Sha256:
 fa3aeb3645a8fc0240e090d1d293bdce9c867ba11eba06fdefa89d7c4ec0434b 3542 lintian_2.5.100.dsc
 42f0548e754cdd8c91b553c9ec013ed9e965e740c01159940351dbf69de7a6b9 1584776 lintian_2.5.100.tar.xz
 f5f27ca4c9e72af00a18c781fb4a2bee0176c66e149ef718fca5c0631052418b 1132756 lintian_2.5.100_all.deb
 1e9fe6fd32e543b6bb305cc7669e7c2f7f43af94dcbcbe5500edfb14528a6243 16223 lintian_2.5.100_amd64.buildinfo
Files:
 9d2edbfa81544b32a17c1fa2ee8e52dc 3542 devel optional lintian_2.5.100.dsc
 f27737e198296c700100cfe525c9131c 1584776 devel optional lintian_2.5.100.tar.xz
 e6c31d47c3cfa9a9a92cd78d0f1a01f3 1132756 devel optional lintian_2.5.100_all.deb
 fec004e4dd3ab5df0b39653f18132609 16223 devel optional lintian_2.5.100_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAluRMy8ACgkQHpU+J9Qx
HlgwAg//QkNDxqDGcAZYpAnUPjV9ag+1GQ7/y0ANk0tV0WNAOyLU8KV+VDWah2+m
RFF/YOStIPMEVB2sWIdJN1Way9gei4bNLKsyDsBUUtlqSy6oE/bznHnwPU3rlBVh
2NzTM0fhzqQyit4g404FLUwB/IsUC4qOrJkTA5GhBVCc9W0I7aEIt2vsnKznF8Um
jakzEtEdl/UuB2N4ZGc1DG+pQcVO0CstqZXK4otkLY7pKD5UG04wwIydadAq+QpO
P9EEMCCpnulKAc6OhVb+Gq3ajckdjsp8DVBmtHbeu2DcOjMfG/FmfQ65aLmYOwxf
L6r7TVleHxsfgJHfwgubWaMIFWhmAOmXtosBfXGMjC7/HvR/AaDMUlj2rfiugVX/
xiKxr/Ri9BxoTSxDAhwaOcQ4nV9pF6IAlqe0QAr4jLHoZN8bmJyfhUfSt773s6V+
S+zZnpcSBlUfMUVjteq34oicmNjvDK39Y7GDQwyTn5kGaajzpg75TwRAQ3M5XEBe
EDbWsPqmx0Wm+cNPaDiWEX/ls1TRYUYGx6L0OXjBxmfqAnBQYGNUq6oKZpZqiMXq
9n9l9p/GoiBrdHJR9GxHZbUiqupQ+zz8SB3iaKB631cd/EX4zOcSM/iE9RvYxewd
Tb4NqAU84uPZlcsebAuFyEv4K4ZmVgoNVcsyIduTBO4luUZDj54=
=lOsR
-----END PGP SIGNATURE-----

--- End Message ---