Package: qa.debian.org
Version: N/A
Severity: grave
Tag: security
Take a look at:
http://base.debian.net/index.pmz?name=perl
using Mozilla (and perhaps other browsers). Scroll down to bug #126608.
According to the BTS, the title of the bug should be:
perl-5.005: $_ gets modified by m// inside for(shift) inside &sub($1)
Doing a View Source on that page shows that the "&sub($1)" is escaped as
"&sub($1)" as you'd want it to be.
But on the base.debian.net page for Perl, it doesn't escape the
ampersand, with the result that Mozilla displays the is-a-proper-subset-of
symbol (confirmed by REC-html40):
<!ENTITY sub CDATA "⊂" -- subset of, U+2282 ISOtech -->
So the code behind those Web pages isn't escaping HTML characters.
Taking a further look for occurrences of < or >, on that same page I see
bug #65096:
perl-5.005-base: HANDLE->blocking doesn't work
which doesn't have the > converted to > like it should (though
Mozilla does display it correctly). Again, the linked-to BTS page does
the right thing.
I've tagged this as a security bug because it could be used as a vector
to get malicious script code to people's browsers by a suitably-crafted
Subject: line in a bug report. Or, to be more precise, I don't know
that it *couldn't* be used in such a fashion. Please reprioritize as
desired.
Jason B.
--
Kindness has converted more sinners than zeal, eloquence, or learning.
-- Frederick W. Faber, British theologian
