Bug#853189: marked as done (tracker.debian.org: Encoding issue / Code injection through Maintainer field (and probably others))

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 23 Mar 2018 10:35:33 +0100
with message-id <20180323093526.yzwocq6e7r7mzt42@crans.org>
and subject line Re: Bug#853189: tracker.debian.org: Encoding issue / Code injection through Maintainer field (and probably others)
has caused the Debian Bug report #853189,
regarding tracker.debian.org: Encoding issue / Code injection through Maintainer field (and probably others)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
853189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853189
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: tracker.debian.org: Ecnoding issue / Code injection through Maintainer field (and probably others)
• From: Dominik George <nik@naturalnet.de>
• Date: Mon, 30 Jan 2017 15:43:44 +0100
• Message-id: <148578742401.8158.7519569264622149962.reportbug@portux.lan.naturalnet.de>

Package: tracker.debian.org
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

tracker.debian.org apparently has encoding issues, not of the “schei�
encoding” kind, but it even seems to break the HTML completely and even
introduces new elements into the DOM in some way…

أحمد المحمودي (Ahmed El-Mahmoudy), e.g., in the Maintainer field of
python-whoosh [1] triggers the issue in the “testing migrations” pane
(but not in the Maintainer field itself…).

Find attached a screenshot.

[1]: https://tracker.debian.org/pkg/python-whoosh

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/lksh
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAliPUR8xGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h
dHVyYWxuZXQuZGUACgkQt5o8FqDE8pbXnQ//dLuHx9qVVea1zQ7Ip4rSheQT1rkW
wosOruh1o4lg0cbjfu0A4iomnZmza7eL4JkezlqnRfkYdQJemtOIORgI2Mv6T2pP
yF/C40l0nKexsSpVoZeoy1/aAmUyCbPwl1F3loT9fq49UpgmZId5OhR//VQU/Wax
DKxPgbc10Qx+R6rXkpnQ0vPATRmFvzWuh0lOTJDwxxqnzWFleO57YE4rBtZqUlRf
QsUCjsg32C3ZFDgUpzWvaZbke93CrEGxCE6aWz08WYmUNr/iE/kXQVUDfSBAqz0/
i7MlDHibceVGBvlXbEvkQ2AnHOJHI9jxi5Bvw8UC527gPdZo3yQczLj/eSy0nQMC
Rlh5pEnBD/av2BNhN0Xp1/Mqton4DOcw49QBWNQgNXsHXO69wIk+DFXjGL2Bii8N
rF1jRaG2luuogtkl4W3wY7KZhyF7dbR7dqRcfVnK0kmccyA+7LbpqWjMiO+L8TqM
jH9N5BfU62o5vsMKCIifN4K6siOVKm/6DeaFwMwv+hYFgYnr9W0iJpIfqedYGgho
stUSHb7HUsdwrOLrwHZYKq3J1eQ7xQJ46lv+z0EJ1lT4KONKbMcnq6ATQ3FGVPE1
s6rnmuvF9qoUOP8oTS2eqbcs6fiPA42aNrANozQbLlfvoJ9v4FLhQAWUKmy9qaIW
CagPj55DNvuLSL0=
=zU9h
-----END PGP SIGNATURE-----

Attachment: Screenshot_20170130_154301.png
Description: PNG image

--- End Message ---

--- Begin Message ---

• To: Christophe Siraut <tobald@debian.org>, 853189-done@bugs.debian.org
• Cc: Niels Thykier <niels@thykier.net>, DominikGeorge <nik@naturalnet.de>
• Subject: Re: Bug#853189: tracker.debian.org: Encoding issue / Code injection through Maintainer field (and probably others)
• From: Pierre-Elliott Bécue <becue@crans.org>
• Date: Fri, 23 Mar 2018 10:35:33 +0100
• Message-id: <20180323093526.yzwocq6e7r7mzt42@crans.org>
• In-reply-to: <[🔎] 20180316173710.oubahybqwruiwvou@pad.tobald.eu.org>
• References: <[🔎] 20180314090456.onxqpw363ow5jg3v@crans.org> <148578742401.8158.7519569264622149962.reportbug@portux.lan.naturalnet.de> <[🔎] 20180316173710.oubahybqwruiwvou@pad.tobald.eu.org>

Le vendredi 16 mars 2018 à 18:37:10+0100, Christophe Siraut a écrit :
> Hi Pierre-Elliott,
> 
> Thanks for looking into this. If you have a plan in mind please go
> for it. I wont be able to give much attention before a week or two.

Dear Christophe,

Your patch and my fixes were implemented in the tracker in commit
https://salsa.debian.org/qa/distro-tracker/commit/0e4f25ec86b09f30f65a0de05db0f98b487f1c76

I took advantage of these changes to make some other that were relevant,
either due to the code base evolution since your patch proposal or to
enhance your patch.

The whole diff is here:
https://salsa.debian.org/qa/distro-tracker/compare/7fa328dcc5222722b546d7dff61b97029b39aff0...a713822ea72eadad1fc01037101f6775156d5193

Thanks for your initial input!

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.

Attachment: signature.asc
Description: PGP signature

--- End Message ---