[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#872646: marked as done (qa.debian.org: [debcheck] Escape some HTML before outputting)

Your message dated Mon, 16 Dec 2019 13:50:09 +0000
with message-id <5df78b9192f03_611c2b0d019250d4724b8@godard.mail>
and subject line Bug#872646 fixed in qa.debian.org
has caused the Debian Bug report #872646,
regarding qa.debian.org: [debcheck] Escape some HTML before outputting
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
872646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872646
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: qa.debian.org
Severity: important
Tags: patch

Hi,

Can someone review and release the attached patch:

  commit b57aea649dd0ee90d6f7e2bf44f6d6119ed71815
  Author: Chris Lamb <chris@chris-lamb.co.uk>
  Date:   Sat Aug 19 10:59:07 2017 -0700
  
      debcheck: Escape some HTML before outputting.
      
      Discovered as the parser doesn't support Build-Profiles, which end up as
      literal < and > chars in the error message:
      
        build time dependency on 'tcl <!nocheck>' which is broken Syntax
                                      ^        ^
      
      Signed-off-by: Chris Lamb <lamby@debian.org>
  
   data/debcheck/debcheck | 9 +++++----
   1 file changed, 5 insertions(+), 4 deletions(-)

Probably exploitable with:

  Standards-Version: <script>alert('XSS')</script>

*g*


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

>From b57aea649dd0ee90d6f7e2bf44f6d6119ed71815 Mon Sep 17 00:00:00 2001
From: Chris Lamb <chris@chris-lamb.co.uk>
Date: Sat, 19 Aug 2017 10:59:07 -0700
Subject: [PATCH] debcheck: Escape some HTML before outputting.

Discovered as the parser doesn't support Build-Profiles, which end up as
literal < and > chars in the error message:

  build time dependency on 'tcl <!nocheck>' which is broken Syntax
                                ^        ^

Signed-off-by: Chris Lamb <lamby@debian.org>
---
 data/debcheck/debcheck | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/data/debcheck/debcheck b/data/debcheck/debcheck
index 863afe9..aabffe2 100755
--- a/data/debcheck/debcheck
+++ b/data/debcheck/debcheck
@@ -7,6 +7,7 @@ use strict;
 
 use Dpkg::ErrorHandling;
 use Dpkg::Version;
+use HTML::Escape qw{escape_html};
 report_options (quiet_warnings => 1);
 
 my $VERBOSE = -t 1; # output is a terminal
@@ -619,7 +620,7 @@ sub malformedbuilddepends($$$$) {
 	my ($pkg, $prob, $maint, $section) = @_;
 	print FILE "<h1>Malformed Build-Depends</h1><p>";
 	for my $dependency (keys %$prob) {
-		print FILE "Package declares a build time dependency on '$dependency' which is broken Syntax.<br>\n";
+		print FILE "Package declares a build time dependency on '" . html_escape($dependency) . "' which is broken Syntax.<br>\n";
 	};
 	registerSummaryItem('malformed-build-depends', undef, $pkg, $maint);
 	registerSummaryItem('main-only-malformed-build-depends', undef, $pkg, $maint) if ($section eq 'main');
@@ -628,7 +629,7 @@ sub malformedbuilddepends($$$$) {
 sub standardversion($$$$) {
 	my ($pkg, $prob, $maint, $section) = @_;
 	print FILE "<h1>Standards-Version</h1><p>";
-	print FILE "Package has a Standards-Version of $prob which is pretty old.<br>\n";
+	print FILE "Package has a Standards-Version of " . html_escape($prob) . " which is pretty old.<br>\n";
 	registerSummaryItem('Standards-Version', undef, $pkg, $maint);
 	registerSummaryItem('main-only-Standards-Version', undef, $pkg, $maint) if ($section eq 'main');
 };
@@ -636,7 +637,7 @@ sub standardversion($$$$) {
 sub wrongstandardversion($$$$) {
 	my ($pkg, $prob, $maint, $section) = @_;
 	print FILE "<h1>Wrong-Standards-Version-Syntax</h1><p>";
-	print FILE "Package has a Standards-Version of '$prob' which is broken Syntax.<br>\n";
+	print FILE "Package has a Standards-Version of '" . html_escape($prob) . "' which is broken Syntax.<br>\n";
 	registerSummaryItem('Wrong-Standards-Version-Syntax', undef, $pkg, $maint);
 	registerSummaryItem('main-only-Wrong-Standards-Version-Syntax', undef, $pkg, $maint) if ($section eq 'main');
 };
@@ -677,7 +678,7 @@ EOF
 					my $them = $2;
 					for my $arch (keys %{$prob->{$depType}->{$depTarget}->{$partdepTarget}->{$priType}}) {
 						if ($depTarget eq $partdepTarget) {
-							print FILE "Package is $me and has a $depType on $depTarget which is $them on $arch.<br>\n";
+							print FILE "Package is " . html_escape($me and has a $depType on $depTarget which is $them on $arch.<br>\n";
 						} else {
 							print FILE "Package is $me and has a $depType on $partdepTarget (within $depTarget) which is $them on $arch.<br>\n";
 						};
-- 
2.14.1

--- End Message ---
--- Begin Message --- 
Hello,

Bug #872646 in qa.debian.org reported by you has been fixed in the Git repository.
You can see the commit message below and you can check the diff of the fix at:

https://salsa.debian.org/qa/qa/commit/f2f5cd9e74db6d63463276e7589b1e0149d09c8b

------------------------------------------------------------------------
debcheck: Do more HTML escaping

Dependencies may end up containing "<" or ">" due to build profiles.

This is very much not the way I prefer to programmatically output HTML,
but rewriting debcheck to use a template-based approach would be a
rather larger change.

Based loosely on a partial patch from Chris Lamb.

Closes: #872646
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/872646

--- End Message ---
Reply to: