Your message dated Mon, 16 Dec 2019 13:50:09 +0000 with message-id <5df78b9192f03_611c2b0d019250d4724b8@godard.mail> and subject line Bug#872646 fixed in qa.debian.org has caused the Debian Bug report #872646, regarding Lacking HTML encoding of debcheck results to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 872646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872646 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Lacking HTML encoding of debcheck results
- From: Matthijs Kooijman <matthijs@stdin.nl>
- Date: Sun, 01 Dec 2019 12:52:43 +0100
- Message-id: <[🔎] 157520116340.16107.11189995324765069817.reportbug@grubby>
Package: qa.debian.org Severity: normal Hi, for the "nml" package, I'm seeing some warnings from debcheck at [1]: Package declares a build time dependency on 'python3-all-dev:any' which is broken Syntax. Package declares a build time dependency on 'python3-pil ' which is broken Syntax. Package declares a build time dependency on 'python3-ply ' which is broken Syntax. [1]: https://qa.debian.org/debcheck.php?dist=unstable&package=nml At first glance, especially the latter two seem perfectly fine, making the error confusing. On closer inspection, the HTML source for these lines looks like: <p>Package declares a build time dependency on 'python3-all-dev:any' which is broken Syntax.<br> Package declares a build time dependency on 'python3-pil <!nocheck>' which is broken Syntax.<br> Package declares a build time dependency on 'python3-ply <!nocheck>' which is broken Syntax.<br> So it seems that qa.debian.org embeds the debcheck results into the HTML without any encoding, making the brackets be interpreted as HTML and the contents effectively hidden. In theory, this could be a security problem (XSS), though exploiting that probably requires uploading a package with an XSS attack embedded in the dependency line (which probably needs to be accepted by other tooling in the process as well, so might even be impossible). Maybe other errors are more exploitable, but the lack of anonymity in the uploads probably means that this is really a security problem in practice. Note that lack of support for such a <!nocheck> clause is the subject of #816448, but the encoding should be solved separately (even when that bug is also solved). Solving this would probably be a matter of adding a `htmlspecialchars()` around the output lines. Gr. Matthijs
--- End Message ---
--- Begin Message ---
- To: 872646-done@bugs.debian.org
- Subject: Bug#872646 fixed in qa.debian.org
- From: Mattia Rizzolo <mattia@debian.org>
- Date: Mon, 16 Dec 2019 13:50:09 +0000
- Message-id: <5df78b9192f03_611c2b0d019250d4724b8@godard.mail>
Hello, Bug #872646 in qa.debian.org reported by you has been fixed in the Git repository. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/qa/qa/commit/f2f5cd9e74db6d63463276e7589b1e0149d09c8b ------------------------------------------------------------------------ debcheck: Do more HTML escaping Dependencies may end up containing "<" or ">" due to build profiles. This is very much not the way I prefer to programmatically output HTML, but rewriting debcheck to use a template-based approach would be a rather larger change. Based loosely on a partial patch from Chris Lamb. Closes: #872646 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/872646
--- End Message ---