Your message dated Thu, 06 Sep 2018 14:48:41 +0000 with message-id <E1fxvaL-0001KN-4r@fasolo.debian.org> and subject line Bug#907667: fixed in lintian 2.5.100 has caused the Debian Bug report #907667, regarding lintian: should html escape output if --color=html is used to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 907667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907667 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: lintian: should html escape output if --color=html is used
- From: James Cowgill <jcowgill@debian.org>
- Date: Fri, 31 Aug 2018 00:08:37 +0100
- Message-id: <8a11cd54-b508-c3b7-4e55-8c089796e800@debian.org>
Package: lintian Version: 2.5.99 Severity: important X-Debbugs-CC: ftpmaster@ftp-master.debian.org X-Debbugs-CC: debian-admin@lists.debian.org Hi, Lintian does not html escape tag information when --color=html is used. I noticed this after browsing a few packages in the NEW queue which have broken stylesheets. Current examples: https://ftp-master.debian.org/new/displaycal_3.6.1.0-1.html https://ftp-master.debian.org/new/json-editor.js_0.7.28+ds-1.html When generating those pages, dak passes --color=html to lintian and does not escape the output (because that would escape the span tags). In this case some privacy-breach-generic tags contained <link rel="stylesheet" tags in their information which get emitted into the above pages. Browsers then proceed to load these stylesheets from foreign websites. It seems to me the best option is to have lintian html escape everything if --color=html is in use, otherwise --color=html cannot be used safely. Example broken lintian output: > $ lintian --color=html libjs-json-editor_0.7.28+ds-1_all.deb > W: libjs-json-editor: <span style="color: yellow">privacy-breach-generic</span> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<link rel="stylesheet" href="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css">] (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.default.min.css) > W: libjs-json-editor: <span style="color: yellow">privacy-breach-generic</span> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<link rel="stylesheet" href="//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css">] (//cdn.jsdelivr.net/sceditor/1.4.3/themes/default.min.css) > W: libjs-json-editor: <span style="color: yellow">privacy-breach-generic</span> usr/share/doc/libjs-json-editor/examples/wysiwyg.html [<script src="//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.bbcode.min.js">] (//cdn.jsdelivr.net/sceditor/1.4.3/jquery.sceditor.bbcode.min.js) > W: libjs-json-editor: <span style="color: yellow">privacy-breach-generic</span> ... use --no-tag-display-limit to see all (or pipe to a file/program) An an aside, I see that ftp-master.debian.org sets the non-standard X-Xss-Protection HTTP header which might? mitigate this on some browsers. Notably Firefox completely ignores this header and instead requires you to use Content-Security-Policy to get XSS protection, so setting that might be a good idea (although setting this "globally" will almost certainly break stuff). I've CCed the DSA team since I guess they manage this. JamesAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 907667-close@bugs.debian.org
- Subject: Bug#907667: fixed in lintian 2.5.100
- From: Chris Lamb <lamby@debian.org>
- Date: Thu, 06 Sep 2018 14:48:41 +0000
- Message-id: <E1fxvaL-0001KN-4r@fasolo.debian.org>
Source: lintian Source-Version: 2.5.100 We believe that the bug you reported is fixed in the latest version of lintian, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 907667@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <lamby@debian.org> (supplier of updated lintian package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 06 Sep 2018 12:09:56 +0000 Source: lintian Binary: lintian Architecture: source all Version: 2.5.100 Distribution: unstable Urgency: medium Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: lintian - Debian package checker Closes: 907578 907620 907667 907681 907836 907845 907870 Changes: lintian (2.5.100) unstable; urgency=medium . * Summary of tag changes: + Added: - obsolete-runtime-tests-restriction - package-contains-python-dot-directory - skip-systemd-native-flag-missing-pre-depends - vcs-obsolete-in-debian-infrastructure + Removed: - vcs-deprecated-in-debian-infrastructure . * checks/control-file.{desc.pm}: + [CL] Don't check the .dsc for "XS-Autobuild"; check the control file itself. This fixes source-only-upload-to-non-free-without-autobuild. (Closes: #907681) * checks/debhelper.pm: + [CL] Also check override_dh_systemd_<action>-arch and -indep for debian-rules-uses-deprecated-systemd-override. (Closes: #907845) * checks/fields.{desc.pm}: + [CL] Rename vcs-deprecated-in-debian-infrastructure and update the documentation to match. (Closes: #907578) * checks/scripts.{desc.pm}: + [CL] Check for "invoke-rc.d --skip-systemd-native" without a suitable Pre-Depends. (Closes: #907836) * checks/testsuite.{desc,pm}: + [CL] Don't emit unknown-runtime-tests-feature for autopkgtest "Features:" entries that use the "test-name=foo" nomenclature. (Closes: #907620) + [CL] Apply patch from Paul Gevers to emit warnings for deprecated test features. . * data/files/fnames: + [CL] Check for "dot" directories in Python packaging such as ".cache", etc; they are usually an error. (Closes: #907870) * data/spelling/corrections: + [PW] Add a number of corrections. * data/testsuite/known-restrictions: + [CL] Apply patch from Paul Gevers to add hint-testsuite-triggers and skip-not-installable to the list of known autopkgtest restrictions. . * lib/Lintian/Output.pm: + [CL] Escape output if --color=html is used. This prevents browsers loading images/stylesheets from foreign websites that are part of warning messages. (Closes: #907667) . * Miscellaneous: + [CL] Apply patch Daniele Forsi fixing a large number of typos in the codebase, documentation, etc. + [CL] Update tests to support dash 0.5.10.2. Checksums-Sha1: 345bea6757250d746a11a41251d350ef7f8cc620 3542 lintian_2.5.100.dsc a6ee35866222124a3b4e661ed00d91f90499bf65 1584776 lintian_2.5.100.tar.xz 6a8c9dbfc553af8ccab3fd2b695eba907c7791f8 1132756 lintian_2.5.100_all.deb 9623eeb094c659aeffbe93fdeed18692e51d9873 16223 lintian_2.5.100_amd64.buildinfo Checksums-Sha256: fa3aeb3645a8fc0240e090d1d293bdce9c867ba11eba06fdefa89d7c4ec0434b 3542 lintian_2.5.100.dsc 42f0548e754cdd8c91b553c9ec013ed9e965e740c01159940351dbf69de7a6b9 1584776 lintian_2.5.100.tar.xz f5f27ca4c9e72af00a18c781fb4a2bee0176c66e149ef718fca5c0631052418b 1132756 lintian_2.5.100_all.deb 1e9fe6fd32e543b6bb305cc7669e7c2f7f43af94dcbcbe5500edfb14528a6243 16223 lintian_2.5.100_amd64.buildinfo Files: 9d2edbfa81544b32a17c1fa2ee8e52dc 3542 devel optional lintian_2.5.100.dsc f27737e198296c700100cfe525c9131c 1584776 devel optional lintian_2.5.100.tar.xz e6c31d47c3cfa9a9a92cd78d0f1a01f3 1132756 devel optional lintian_2.5.100_all.deb fec004e4dd3ab5df0b39653f18132609 16223 devel optional lintian_2.5.100_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAluRMy8ACgkQHpU+J9Qx HlgwAg//QkNDxqDGcAZYpAnUPjV9ag+1GQ7/y0ANk0tV0WNAOyLU8KV+VDWah2+m RFF/YOStIPMEVB2sWIdJN1Way9gei4bNLKsyDsBUUtlqSy6oE/bznHnwPU3rlBVh 2NzTM0fhzqQyit4g404FLUwB/IsUC4qOrJkTA5GhBVCc9W0I7aEIt2vsnKznF8Um jakzEtEdl/UuB2N4ZGc1DG+pQcVO0CstqZXK4otkLY7pKD5UG04wwIydadAq+QpO P9EEMCCpnulKAc6OhVb+Gq3ajckdjsp8DVBmtHbeu2DcOjMfG/FmfQ65aLmYOwxf L6r7TVleHxsfgJHfwgubWaMIFWhmAOmXtosBfXGMjC7/HvR/AaDMUlj2rfiugVX/ xiKxr/Ri9BxoTSxDAhwaOcQ4nV9pF6IAlqe0QAr4jLHoZN8bmJyfhUfSt773s6V+ S+zZnpcSBlUfMUVjteq34oicmNjvDK39Y7GDQwyTn5kGaajzpg75TwRAQ3M5XEBe EDbWsPqmx0Wm+cNPaDiWEX/ls1TRYUYGx6L0OXjBxmfqAnBQYGNUq6oKZpZqiMXq 9n9l9p/GoiBrdHJR9GxHZbUiqupQ+zz8SB3iaKB631cd/EX4zOcSM/iE9RvYxewd Tb4NqAU84uPZlcsebAuFyEv4K4ZmVgoNVcsyIduTBO4luUZDj54= =lOsR -----END PGP SIGNATURE-----
--- End Message ---