Bug#133329: marked as done (base.debian.net Pages Needs HTML Escaping)

To: Martin Michlmayr <tbm@cyrius.com>
Cc: debian-qa@lists.debian.org
Subject: Bug#133329: marked as done (base.debian.net Pages Needs HTML Escaping)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 11 Feb 2002 10:33:16 -0600
Message-id: <[🔎] handler.133329.D133329.101344504014290.ackdone@bugs.debian.org>
In-reply-to: <20020211173000.A2321@fisch.cyrius.com>
References: <20020211173000.A2321@fisch.cyrius.com> <[🔎] 20020211054244.GA1209@earthlink.net>

Your message dated Mon, 11 Feb 2002 17:30:00 +0100
with message-id <20020211173000.A2321@fisch.cyrius.com>
and subject line Bug#133329: base.debian.net Pages Needs HTML Escaping
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Feb 2002 05:42:49 +0000
>From jbucata@earthlink.net Sun Feb 10 23:42:49 2002
Return-path: <jbucata@earthlink.net>
Received: from hawk.mail.pas.earthlink.net [207.217.120.22] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16a9En-00089t-00; Sun, 10 Feb 2002 23:42:49 -0600
Received: from user-v3qs43b.dialup.mindspring.com ([199.174.16.107] helo=blimpchess)
	by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 16a9El-00067C-00
	for submit@bugs.debian.org; Sun, 10 Feb 2002 21:42:48 -0800
Received: from bucata by blimpchess with local (Exim 3.33 #1 (Debian))
	id 16a9Ei-0000KE-00
	for <submit@bugs.debian.org>; Sun, 10 Feb 2002 23:42:44 -0600
Date: Sun, 10 Feb 2002 23:42:44 -0600
From: Jason Bucata <jbucata@earthlink.net>
To: submit@bugs.debian.org
Subject: base.debian.net Pages Needs HTML Escaping
Message-ID: <[🔎] 20020211054244.GA1209@earthlink.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
Sender: Jason Bucata <jbucata@earthlink.net>
Delivered-To: submit@bugs.debian.org

Package: qa.debian.org
Version: N/A
Severity: grave
Tag: security

Take a look at:
	http://base.debian.net/index.pmz?name=perl
using Mozilla (and perhaps other browsers).  Scroll down to bug #126608.

According to the BTS, the title of the bug should be:
	perl-5.005: $_ gets modified by m// inside for(shift) inside &sub($1)

Doing a View Source on that page shows that the "&sub($1)" is escaped as
"&amp;sub($1)" as you'd want it to be.

But on the base.debian.net page for Perl, it doesn't escape the
ampersand, with the result that Mozilla displays the is-a-proper-subset-of
symbol (confirmed by REC-html40):
	<!ENTITY sub      CDATA "&#8834;" -- subset of, U+2282 ISOtech -->

So the code behind those Web pages isn't escaping HTML characters.

Taking a further look for occurrences of < or >, on that same page I see
bug #65096:
	perl-5.005-base: HANDLE->blocking doesn't work
which doesn't have the > converted to &gt; like it should (though
Mozilla does display it correctly).  Again, the linked-to BTS page does
the right thing.

I've tagged this as a security bug because it could be used as a vector
to get malicious script code to people's browsers by a suitably-crafted
Subject: line in a bug report.  Or, to be more precise, I don't know
that it *couldn't* be used in such a fashion.  Please reprioritize as
desired.

Jason B.

-- 
Kindness has converted more sinners than zeal, eloquence, or learning.
	-- Frederick W. Faber, British theologian

---------------------------------------
Received: (at 133329-done) by bugs.debian.org; 11 Feb 2002 16:30:40 +0000
>From tbm@cyrius.com Mon Feb 11 10:30:40 2002
Return-path: <tbm@cyrius.com>
Received: from luonnotar.infodrom.org [195.124.48.78] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16aJLj-0003hy-00; Mon, 11 Feb 2002 10:30:40 -0600
Received: from nautilus.noreply.org (unknown [138.232.34.77])
	by luonnotar.infodrom.org (Postfix) with ESMTP
	id 84985366A46; Mon, 11 Feb 2002 17:30:06 +0100 (CET)
Received: by nautilus.noreply.org (Postfix, from userid 10)
	id A23BE357C4; Mon, 11 Feb 2002 17:30:05 +0100 (CET)
Received: by fisch.cyrius.com (Postfix, from userid 1000)
	id 1EC4623B60; Mon, 11 Feb 2002 17:30:00 +0100 (CET)
Date: Mon, 11 Feb 2002 17:30:00 +0100
From: Martin Michlmayr <tbm@cyrius.com>
To: Jason Bucata <jbucata@earthlink.net>, 133329-done@bugs.debian.org
Subject: Re: Bug#133329: base.debian.net Pages Needs HTML Escaping
Message-ID: <20020211173000.A2321@fisch.cyrius.com>
References: <[🔎] 20020211054244.GA1209@earthlink.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20020211054244.GA1209@earthlink.net>
User-Agent: Mutt/1.3.22i
Delivered-To: 133329-done@bugs.debian.org

* Jason Bucata <jbucata@earthlink.net> [20020210 23:42]:
> bug #65096:
> 	perl-5.005-base: HANDLE->blocking doesn't work
> which doesn't have the > converted to &gt; like it should (though
> Mozilla does display it correctly).  Again, the linked-to BTS page does

Fixed.  Thanks for the note.
-- 
Martin Michlmayr
tbm@cyrius.com

Reply to:

References:
- Bug#133329: base.debian.net Pages Needs HTML Escaping
  - From: Jason Bucata <jbucata@earthlink.net>

Prev by Date: Re: ITP->RFP
Next by Date: Engineered Glass to Metal Hermetic Packages/Feed Throughs
Previous by thread: Bug#133329: base.debian.net Pages Needs HTML Escaping
Next by thread: Engineered Hermetic Glass to Metal Feed Throughs
Index(es):
- Date
- Thread