Bug#945941: Lacking HTML encoding of debcheck results
Package: qa.debian.org
Severity: normal
Hi,
for the "nml" package, I'm seeing some warnings from debcheck at [1]:
Package declares a build time dependency on 'python3-all-dev:any' which is broken Syntax.
Package declares a build time dependency on 'python3-pil ' which is broken Syntax.
Package declares a build time dependency on 'python3-ply ' which is broken Syntax.
[1]: https://qa.debian.org/debcheck.php?dist=unstable&package=nml
At first glance, especially the latter two seem perfectly fine, making the
error confusing. On closer inspection, the HTML source for these lines looks
like:
<p>Package declares a build time dependency on 'python3-all-dev:any' which is broken Syntax.<br>
Package declares a build time dependency on 'python3-pil <!nocheck>' which is broken Syntax.<br>
Package declares a build time dependency on 'python3-ply <!nocheck>' which is broken Syntax.<br>
So it seems that qa.debian.org embeds the debcheck results into the HTML
without any encoding, making the brackets be interpreted as HTML and the
contents effectively hidden.
In theory, this could be a security problem (XSS), though exploiting that
probably requires uploading a package with an XSS attack embedded in the
dependency line (which probably needs to be accepted by other tooling in the
process as well, so might even be impossible). Maybe other errors are more
exploitable, but the lack of anonymity in the uploads probably means that this
is really a security problem in practice.
Note that lack of support for such a <!nocheck> clause is the subject of
#816448, but the encoding should be solved separately (even when that bug is
also solved).
Solving this would probably be a matter of adding a `htmlspecialchars()` around
the output lines.
Gr.
Matthijs
Reply to: