Package: lintian Version: 2.5.14 control: block 637580 by 718427 control: tag 637580 + patch
detect also piwik
From e76aa193da8f1f4ad9e1541ca500bc442bcd9fc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bast...@gmail.com> Date: Tue, 6 Aug 2013 11:03:01 +0200 Subject: [PATCH 1/3] Test google adsense privacy breach Google adsense breach the privacy of our user. Detect such problem on installed file --- checks/files.desc | 8 ++++++ checks/files.pm | 28 ++++++++++++++++++++ t/tests/files-privacybreach/debian/debian/install | 1 + t/tests/files-privacybreach/debian/src/adsense.js | 12 +++++++++ .../debian/src/adsenseonlyadds.js | 1 + .../debian/src/adsenseonlyvar.js | 12 +++++++++ t/tests/files-privacybreach/desc | 5 ++++ t/tests/files-privacybreach/tags | 3 +++ 8 files changed, 70 insertions(+) create mode 100644 t/tests/files-privacybreach/debian/debian/install create mode 100644 t/tests/files-privacybreach/debian/src/adsense.js create mode 100644 t/tests/files-privacybreach/debian/src/adsenseonlyadds.js create mode 100644 t/tests/files-privacybreach/debian/src/adsenseonlyvar.js create mode 100644 t/tests/files-privacybreach/desc create mode 100644 t/tests/files-privacybreach/tags diff --git a/checks/files.desc b/checks/files.desc index 55f94fd..df1cf26 100644 --- a/checks/files.desc +++ b/checks/files.desc @@ -914,6 +914,14 @@ Info: This package contains an embedded copy of JavaScript libraries package and symlink the library into the appropriate location. Ref: policy 4.13 +Tag: privacy-breach-google-adsense +Severity: important +Certainty: possible +Info: This package create a privacy breach by fetching some data from + google adsense and feed some private data to google. + Please remove this script. +Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense + Tag: embedded-feedparser-library Severity: normal Certainty: certain diff --git a/checks/files.pm b/checks/files.pm index a080e56..82deb45 100644 --- a/checks/files.pm +++ b/checks/files.pm @@ -22,6 +22,8 @@ package Lintian::files; use strict; use warnings; use autodie; +use v5.10; +use feature qw(switch); use File::Basename; @@ -1005,6 +1007,32 @@ foreach my $file ($info->sorted_index) { } } + # ---------------- html file or fragment + if ($file =~ m,\.(?:x?html?|js|xht|xml)$,i) { + open(my $fd, '<', $info->unpacked($file)); + my %privacybreachhash = (); + while (<$fd>) { + if (m,google_ad_client\s*=,) { + unless (exists $privacybreachhash{'google-adsense'}) { + tag 'privacy-breach-google-adsense', $file; + $privacybreachhash{'google-adsense'} = 1; + } + } + if (m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,){ + my $website=$+{website}; + given ($website) { + when (m,googlesyndication.com/pagead/show_ads.js,) { + unless (exists $privacybreachhash{'google-adsense'}) { + tag 'privacy-breach-google-adsense', $file; + $privacybreachhash{'google-adsense'} = 1; + } + } + } + } + } + close($fd); + } + # ---------------- fonts if ($file =~ m,/([\w-]+\.(?:[to]tf|pfb))$,i) { my $font = lc $1; diff --git a/t/tests/files-privacybreach/debian/debian/install b/t/tests/files-privacybreach/debian/debian/install new file mode 100644 index 0000000..12abe36 --- /dev/null +++ b/t/tests/files-privacybreach/debian/debian/install @@ -0,0 +1 @@ +src/*.js /usr/share/javascript/ diff --git a/t/tests/files-privacybreach/debian/src/adsense.js b/t/tests/files-privacybreach/debian/src/adsense.js new file mode 100644 index 0000000..da53cc1 --- /dev/null +++ b/t/tests/files-privacybreach/debian/src/adsense.js @@ -0,0 +1,12 @@ +<script type="text/javascript"> +google_ad_client = "pub-123456789"; +google_ad_width = 728; +google_ad_height = 90; +google_ad_format = "728x90_as"; +google_ad_type = "text_image"; +google_color_border = "FFFFFF"; +google_color_bg = "0000FF"; +google_color_link = "FFFFFF"; +google_color_text = "000000"; +google_color_url = "008000"; +</script><script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js";></script> \ No newline at end of file diff --git a/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js b/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js new file mode 100644 index 0000000..907e5fb --- /dev/null +++ b/t/tests/files-privacybreach/debian/src/adsenseonlyadds.js @@ -0,0 +1 @@ +<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js";></script> \ No newline at end of file diff --git a/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js b/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js new file mode 100644 index 0000000..eb7bdb6 --- /dev/null +++ b/t/tests/files-privacybreach/debian/src/adsenseonlyvar.js @@ -0,0 +1,12 @@ +<script type="text/javascript"> +google_ad_client = "pub-123456789"; +google_ad_width = 728; +google_ad_height = 90; +google_ad_format = "728x90_as"; +google_ad_type = "text_image"; +google_color_border = "FFFFFF"; +google_color_bg = "0000FF"; +google_color_link = "FFFFFF"; +google_color_text = "000000"; +google_color_url = "008000"; +</script> \ No newline at end of file diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc new file mode 100644 index 0000000..2f1b42f --- /dev/null +++ b/t/tests/files-privacybreach/desc @@ -0,0 +1,5 @@ +Testname: files-privacybreach +Sequence: 6000 +Version: 1.0 +Description: Check for different html privacy breach +Test-For: privacy-breach-google-adsense diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags new file mode 100644 index 0000000..7941e66 --- /dev/null +++ b/t/tests/files-privacybreach/tags @@ -0,0 +1,3 @@ +E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js +E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js +E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js -- 1.7.10.4
From 801a424f75a111628d7507be1f53f8ab8552cbaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bast...@gmail.com> Date: Tue, 6 Aug 2013 11:32:36 +0200 Subject: [PATCH 2/3] Detect generic privacy breach When a script fetch an external website they are a potential privacy breach. Add an experimental tag for it. --- checks/files.desc | 7 +++++++ checks/files.pm | 6 ++++++ t/tests/files-privacybreach/debian/src/genericwebsite.js | 1 + t/tests/files-privacybreach/desc | 4 +++- t/tests/files-privacybreach/tags | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 t/tests/files-privacybreach/debian/src/genericwebsite.js diff --git a/checks/files.desc b/checks/files.desc index df1cf26..fae942d 100644 --- a/checks/files.desc +++ b/checks/files.desc @@ -922,6 +922,13 @@ Info: This package create a privacy breach by fetching some data from Please remove this script. Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense +Tag: privacy-breach-generic +Severity: important +Certainty: wild-guess +Experimental: yes +Info: This package create a privacy breach by fetching some data from + an external website. Please remove this script. + Tag: embedded-feedparser-library Severity: normal Certainty: certain diff --git a/checks/files.pm b/checks/files.pm index 82deb45..db3abbc 100644 --- a/checks/files.pm +++ b/checks/files.pm @@ -1027,6 +1027,12 @@ foreach my $file ($info->sorted_index) { $privacybreachhash{'google-adsense'} = 1; } } + default { + unless (exists $privacybreachhash{'generic-'.$website}) { + tag 'privacy-breach-generic', $file, $website; + $privacybreachhash{'generic-'.$website} = 1; + } + } } } } diff --git a/t/tests/files-privacybreach/debian/src/genericwebsite.js b/t/tests/files-privacybreach/debian/src/genericwebsite.js new file mode 100644 index 0000000..37aaa96 --- /dev/null +++ b/t/tests/files-privacybreach/debian/src/genericwebsite.js @@ -0,0 +1 @@ +<script type="text/javascript" src="http://www.example.com/trackme.js";></script> \ No newline at end of file diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc index 2f1b42f..d6cc677 100644 --- a/t/tests/files-privacybreach/desc +++ b/t/tests/files-privacybreach/desc @@ -2,4 +2,6 @@ Testname: files-privacybreach Sequence: 6000 Version: 1.0 Description: Check for different html privacy breach -Test-For: privacy-breach-google-adsense +Test-For: + privacy-breach-generic + privacy-breach-google-adsense diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags index 7941e66..b84771b 100644 --- a/t/tests/files-privacybreach/tags +++ b/t/tests/files-privacybreach/tags @@ -1,3 +1,4 @@ E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js +X: files-privacybreach: privacy-breach-generic usr/share/javascript/genericwebsite.js www.example.com/trackme.js -- 1.7.10.4
From 5759b586443d53ce0fc4e79897509f71b92d6728 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bast...@gmail.com> Date: Tue, 6 Aug 2013 15:03:57 +0200 Subject: [PATCH 3/3] Add piwik privacy breach detection Warn when we detect a piwik tracker. --- checks/files.desc | 11 ++++- checks/files.pm | 49 +++++++++++++------- t/tests/files-privacybreach/debian/src/piwik.js | 12 +++++ .../files-privacybreach/debian/src/piwikvariant.js | 11 +++++ t/tests/files-privacybreach/desc | 1 + t/tests/files-privacybreach/tags | 2 + 6 files changed, 66 insertions(+), 20 deletions(-) create mode 100644 t/tests/files-privacybreach/debian/src/piwik.js create mode 100644 t/tests/files-privacybreach/debian/src/piwikvariant.js diff --git a/checks/files.desc b/checks/files.desc index fae942d..53cb49c 100644 --- a/checks/files.desc +++ b/checks/files.desc @@ -922,6 +922,13 @@ Info: This package create a privacy breach by fetching some data from Please remove this script. Ref: https://wiki.debian.org/Lintian/Tags/privacy-breach-google-adsense +Tag: privacy-breach-piwik +Severity: important +Certainty: possible +Info: This package create a privacy breach by fetching some data from + a piwik based web site and feed some private data to it. + Please remove this script. + Tag: privacy-breach-generic Severity: important Certainty: wild-guess @@ -974,7 +981,7 @@ Info: This package contains a *.ttf, *.otf, or *.pfb file, file the font should be packaged separately, since fonts are usually useful outside of the package that embeds them. -Tag: license-problem-font-adobe-copyrighted-fragment +Tag: font-adobe-copyrighted-fragment Severity: serious Certainty: possible Info: This type 1 font file includes some postscript fragment with a @@ -984,7 +991,7 @@ Info: This type 1 font file includes some postscript fragment with a Should this be a false-positive, please override the tag. Ref: http://wiki.debian.org/qa.debian.org/type1nondfsg -Tag: license-problem-font-adobe-copyrighted-fragment-no-credit +Tag: font-adobe-copyrighted-fragment-no-credit Severity: serious Certainty: possible Info: This type 1 font file includes some postscript fragment with a diff --git a/checks/files.pm b/checks/files.pm index db3abbc..349dbd2 100644 --- a/checks/files.pm +++ b/checks/files.pm @@ -1011,26 +1011,39 @@ foreach my $file ($info->sorted_index) { if ($file =~ m,\.(?:x?html?|js|xht|xml)$,i) { open(my $fd, '<', $info->unpacked($file)); my %privacybreachhash = (); - while (<$fd>) { - if (m,google_ad_client\s*=,) { - unless (exists $privacybreachhash{'google-adsense'}) { - tag 'privacy-breach-google-adsense', $file; - $privacybreachhash{'google-adsense'} = 1; + while (my $line = <$fd>) { + given ($line) { + # google adsense + when (m,google_ad_client\s*=,) { + unless (exists $privacybreachhash{'google-adsense'}) { + tag 'privacy-breach-google-adsense', $file; + $privacybreachhash{'google-adsense'} = 1; + } + continue; } - } - if (m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,){ - my $website=$+{website}; - given ($website) { - when (m,googlesyndication.com/pagead/show_ads.js,) { - unless (exists $privacybreachhash{'google-adsense'}) { - tag 'privacy-breach-google-adsense', $file; - $privacybreachhash{'google-adsense'} = 1; - } + # piwik + when(m,piwik_url\s*=, or m,pkBaseURL\s*=, or m,piwik\.js, or m,End\s+Piwik\s+(?:Tag|Code),) { + unless (exists $privacybreachhash{'piwik'}) { + tag 'privacy-breach-piwik', $file; + $privacybreachhash{'piwik'} = 1; } - default { - unless (exists $privacybreachhash{'generic-'.$website}) { - tag 'privacy-breach-generic', $file, $website; - $privacybreachhash{'generic-'.$website} = 1; + continue; + } + # script tag + when (m,<script\s+[^>]*?\s+src="(?:http|ftp)://(?'website'[^"]*?)"[^>]*?>,){ + my $website=$+{website}; + given ($website) { + when (m,googlesyndication.com/pagead/show_ads.js,) { + unless (exists $privacybreachhash{'google-adsense'}) { + tag 'privacy-breach-google-adsense', $file; + $privacybreachhash{'google-adsense'} = 1; + } + } + default { + unless (exists $privacybreachhash{'generic-'.$website}) { + tag 'privacy-breach-generic', $file, $website; + $privacybreachhash{'generic-'.$website} = 1; + } } } } diff --git a/t/tests/files-privacybreach/debian/src/piwik.js b/t/tests/files-privacybreach/debian/src/piwik.js new file mode 100644 index 0000000..8a2ce39 --- /dev/null +++ b/t/tests/files-privacybreach/debian/src/piwik.js @@ -0,0 +1,12 @@ +<!-- Piwik --> +<script type="text/javascript"> +var pkBaseURL = (("https:" == document.location.protocol) ? "https://apps.sourceforge.net/piwik/matplotlib/"; : "http://apps.sourceforge.net/piwik/matplotlib/";); +document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E")); +</script><script type="text/javascript"> +piwik_action_name = ''; +piwik_idsite = 1; +piwik_url = pkBaseURL + "piwik.php"; +piwik_log(piwik_action_name, piwik_idsite, piwik_url); +</script> +<object><noscript><p><img src="http://apps.sourceforge.net/piwik/matplotlib/piwik.php?idsite=1"; alt="piwik"/></p></noscript></object> +<!-- End Piwik Tag --> \ No newline at end of file diff --git a/t/tests/files-privacybreach/debian/src/piwikvariant.js b/t/tests/files-privacybreach/debian/src/piwikvariant.js new file mode 100644 index 0000000..6a8e5cb --- /dev/null +++ b/t/tests/files-privacybreach/debian/src/piwikvariant.js @@ -0,0 +1,11 @@ +<!-- Piwik --> <script type="text/javascript"> +var _paq = _paq || []; +(function(){ var u=(("https:" == document.location.protocol) ? "https://{$PIWIK_URL}/"; : "http://{$PIWIK_URL}/";); +_paq.push(['setSiteId', {$IDSITE}]); +_paq.push(['setTrackerUrl', u+'piwik.php']); +_paq.push(['trackPageView']); +_paq.push(['enableLinkTracking']); +var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript'; g.defer=true; g.async=true; g.src=u+'piwik.js'; +s.parentNode.insertBefore(g,s); })(); + </script> +<!-- End Piwik Code --> \ No newline at end of file diff --git a/t/tests/files-privacybreach/desc b/t/tests/files-privacybreach/desc index d6cc677..2f00722 100644 --- a/t/tests/files-privacybreach/desc +++ b/t/tests/files-privacybreach/desc @@ -5,3 +5,4 @@ Description: Check for different html privacy breach Test-For: privacy-breach-generic privacy-breach-google-adsense + privacy-breach-piwik diff --git a/t/tests/files-privacybreach/tags b/t/tests/files-privacybreach/tags index b84771b..b84d04b 100644 --- a/t/tests/files-privacybreach/tags +++ b/t/tests/files-privacybreach/tags @@ -1,4 +1,6 @@ E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsense.js E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyadds.js E: files-privacybreach: privacy-breach-google-adsense usr/share/javascript/adsenseonlyvar.js +E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwik.js +E: files-privacybreach: privacy-breach-piwik usr/share/javascript/piwikvariant.js X: files-privacybreach: privacy-breach-generic usr/share/javascript/genericwebsite.js www.example.com/trackme.js -- 1.7.10.4
