Bug#181872: marked as done (www.debian.org: Inproper handling of special HTML characters in package descriptions)

To: Matt Kraai <kraai@alumni.cmu.edu>
Cc: James Treacy and others <debian-www@lists.debian.org>, www.debian.org@packages.qa.debian.org
Subject: Bug#181872: marked as done (www.debian.org: Inproper handling of special HTML characters in package descriptions)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 17 Apr 2003 21:48:04 -0500
Message-id: <[🔎] handler.181872.D181872.105063379111328.ackdone@bugs.debian.org>
In-reply-to: <20030418024312.GA231@ftbfs.org>
References: <20030418024312.GA231@ftbfs.org> <E18mAJX-0005CT-00@python.linpro.no>

Your message dated Thu, 17 Apr 2003 19:43:12 -0700
with message-id <20030418024312.GA231@ftbfs.org>
and subject line done
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Feb 2003 10:21:59 +0000
>From tore@linpro.no Fri Feb 21 04:21:57 2003
Return-path: <tore@linpro.no>
Received: from head.linpro.no [80.232.36.1] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 18mAJZ-0006aJ-00; Fri, 21 Feb 2003 04:21:57 -0600
Received: from python.linpro.no ([80.232.36.148])
	by head.linpro.no with esmtp (Exim 4.12 #1 (Debian))
	id 18mAJX-0008Fs-00; Fri, 21 Feb 2003 11:21:55 +0100
Received: from tore by python.linpro.no with local (Exim 3.35 #1 (Debian))
	id 18mAJX-0005CT-00; Fri, 21 Feb 2003 11:21:55 +0100
From: Tore Anderson <tore@linpro.no>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: www.debian.org: Inproper handling of special HTML characters in package descriptions
X-Mailer: reportbug 1.50
Date: Fri, 21 Feb 2003 11:21:55 +0100
Message-Id: <E18mAJX-0005CT-00@python.linpro.no>
X-Spam-Score: 1.4 (+)
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *18mAJX-0008Fs-00*meLSmHvSW16*
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=1.2 required=4.0
	tests=HAS_PACKAGE,PORN_4,SPAM_PHRASE_00_01
	version=2.44
X-Spam-Level: *

Package: www.debian.org
Version: N/A; reported 2003-02-21
Severity: normal

  The scripts generating the packages' pages on
 <http://packages.debian.org> fails to convert the characters "<" and
 ">" to their respective HTML entities, such as "&lt;" and "&gt;".  It
 is likely that other characters are also affected by this.

  To see an example of this, take a look at
 <http://packages.debian.org/unstable/games/scummvm.html>.  The
 description in question reads:

    ".. at <URL: http://scummvm.sf.net/compatibility.php>. .."

  Mozilla show this on the web pages like this:

    ".. at http://scummvm.sf.net/compatibility.php>. .."

  and the HTML source reads:

    ".. at <URL: <a href="http://scummvm.sf.net/compatibility.php>">http://scummvm.sf.net/compatibility.php></a>. .."
  
  Obviously, the special characters should have been replaced by their
 respective HTML entities.  I would assume that a malicious uploader
 could use packages.debian.org for an XSS attack, should he be inclined
 to do so. I don't believe that's likely to happen, though, so no
 security tag added.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux python.linpro.no 2.4.20-xfs #1 Wed Dec 11 20:26:47 CET 2002 i686
Locale: LANG=C, LC_CTYPE=no_NO.ISO-8859-1


---------------------------------------
Received: (at 181872-done) by bugs.debian.org; 18 Apr 2003 02:43:11 +0000
>From kraai@lafn.org Thu Apr 17 21:43:11 2003
Return-path: <kraai@lafn.org>
Received: from host-66-81-203-104.rev.o1.com (catalunya) [66.81.203.104] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 196LqI-0002wQ-00; Thu, 17 Apr 2003 21:43:11 -0500
Received: from kraai by catalunya with local (Exim 3.35 #1 (Debian))
	id 196LqK-0000AY-00
	for <181872-done@bugs.debian.org>; Thu, 17 Apr 2003 19:43:12 -0700
Date: Thu, 17 Apr 2003 19:43:12 -0700
From: Matt Kraai <kraai@alumni.cmu.edu>
To: 181872-done@bugs.debian.org
Subject: done
Message-ID: <20030418024312.GA231@ftbfs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Sender: Matt Kraai <kraai@lafn.org>
Delivered-To: 181872-done@bugs.debian.org
X-Spam-Status: No, hits=-1.2 required=4.0
	tests=SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,USER_AGENT,
	      USER_AGENT_MUTT
	version=2.44
X-Spam-Level: 

Howdy,

I committed a patch to escape HTML entities.  Broken pages should
be fixed after the next packages.d.o build.

Matt
-- 
Matt Kraai <kraai@alumni.cmu.edu>
Debian GNU/Linux Peon

Reply to:

Follow-Ups:
- Re: Bug#181872: marked as done (www.debian.org: Inproper handling of special HTML characters in package descriptions)
  - From: Frank Lichtenheld <frank@lichtenheld.de>

Prev by Date: WEBMIN
Next by Date: I have to inform you.....some error
Previous by thread: Re: WEBMIN
Next by thread: Re: Bug#181872: marked as done (www.debian.org: Inproper handling of special HTML characters in package descriptions)
Index(es):
- Date
- Thread