Your message dated Mon, 11 Feb 2002 17:30:00 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#133329: base.debian.net Pages Needs HTML Escaping
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Feb 2002 05:42:49 +0000
>From [EMAIL PROTECTED] Sun Feb 10 23:42:49 2002
Return-path: <[EMAIL PROTECTED]>
Received: from hawk.mail.pas.earthlink.net [207.217.120.22]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 16a9En-00089t-00; Sun, 10 Feb 2002 23:42:49 -0600
Received: from user-v3qs43b.dialup.mindspring.com ([199.174.16.107]
helo=blimpchess)
by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
id 16a9El-00067C-00
for [EMAIL PROTECTED]; Sun, 10 Feb 2002 21:42:48 -0800
Received: from bucata by blimpchess with local (Exim 3.33 #1 (Debian))
id 16a9Ei-0000KE-00
for <[EMAIL PROTECTED]>; Sun, 10 Feb 2002 23:42:44 -0600
Date: Sun, 10 Feb 2002 23:42:44 -0600
From: Jason Bucata <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: base.debian.net Pages Needs HTML Escaping
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
Sender: Jason Bucata <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Package: qa.debian.org
Version: N/A
Severity: grave
Tag: security
Take a look at:
http://base.debian.net/index.pmz?name=perl
using Mozilla (and perhaps other browsers). Scroll down to bug #126608.
According to the BTS, the title of the bug should be:
perl-5.005: $_ gets modified by m// inside for(shift) inside &sub($1)
Doing a View Source on that page shows that the "&sub($1)" is escaped as
"&sub($1)" as you'd want it to be.
But on the base.debian.net page for Perl, it doesn't escape the
ampersand, with the result that Mozilla displays the is-a-proper-subset-of
symbol (confirmed by REC-html40):
<!ENTITY sub CDATA "⊂" -- subset of, U+2282 ISOtech -->
So the code behind those Web pages isn't escaping HTML characters.
Taking a further look for occurrences of < or >, on that same page I see
bug #65096:
perl-5.005-base: HANDLE->blocking doesn't work
which doesn't have the > converted to > like it should (though
Mozilla does display it correctly). Again, the linked-to BTS page does
the right thing.
I've tagged this as a security bug because it could be used as a vector
to get malicious script code to people's browsers by a suitably-crafted
Subject: line in a bug report. Or, to be more precise, I don't know
that it *couldn't* be used in such a fashion. Please reprioritize as
desired.
Jason B.
--
Kindness has converted more sinners than zeal, eloquence, or learning.
-- Frederick W. Faber, British theologian
---------------------------------------
Received: (at 133329-done) by bugs.debian.org; 11 Feb 2002 16:30:40 +0000
>From [EMAIL PROTECTED] Mon Feb 11 10:30:40 2002
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 16aJLj-0003hy-00; Mon, 11 Feb 2002 10:30:40 -0600
Received: from nautilus.noreply.org (unknown [138.232.34.77])
by luonnotar.infodrom.org (Postfix) with ESMTP
id 84985366A46; Mon, 11 Feb 2002 17:30:06 +0100 (CET)
Received: by nautilus.noreply.org (Postfix, from userid 10)
id A23BE357C4; Mon, 11 Feb 2002 17:30:05 +0100 (CET)
Received: by fisch.cyrius.com (Postfix, from userid 1000)
id 1EC4623B60; Mon, 11 Feb 2002 17:30:00 +0100 (CET)
Date: Mon, 11 Feb 2002 17:30:00 +0100
From: Martin Michlmayr <[EMAIL PROTECTED]>
To: Jason Bucata <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#133329: base.debian.net Pages Needs HTML Escaping
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.3.22i
Delivered-To: [EMAIL PROTECTED]
* Jason Bucata <[EMAIL PROTECTED]> [20020210 23:42]:
> bug #65096:
> perl-5.005-base: HANDLE->blocking doesn't work
> which doesn't have the > converted to > like it should (though
> Mozilla does display it correctly). Again, the linked-to BTS page does
Fixed. Thanks for the note.
--
Martin Michlmayr
[EMAIL PROTECTED]
