Package: qa.debian.org
Severity: important
Tags: patch
Hi,
Can someone review and release the attached patch:
commit b57aea649dd0ee90d6f7e2bf44f6d6119ed71815
Author: Chris Lamb <ch...@chris-lamb.co.uk>
Date: Sat Aug 19 10:59:07 2017 -0700
debcheck: Escape some HTML before outputting.
Discovered as the parser doesn't support Build-Profiles, which end up as
literal < and > chars in the error message:
build time dependency on 'tcl <!nocheck>' which is broken Syntax
^ ^
Signed-off-by: Chris Lamb <la...@debian.org>
data/debcheck/debcheck | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
Probably exploitable with:
Standards-Version: <script>alert('XSS')</script>
*g*
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
>From b57aea649dd0ee90d6f7e2bf44f6d6119ed71815 Mon Sep 17 00:00:00 2001
From: Chris Lamb <ch...@chris-lamb.co.uk>
Date: Sat, 19 Aug 2017 10:59:07 -0700
Subject: [PATCH] debcheck: Escape some HTML before outputting.
Discovered as the parser doesn't support Build-Profiles, which end up as
literal < and > chars in the error message:
build time dependency on 'tcl <!nocheck>' which is broken Syntax
^ ^
Signed-off-by: Chris Lamb <la...@debian.org>
---
data/debcheck/debcheck | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/data/debcheck/debcheck b/data/debcheck/debcheck
index 863afe9..aabffe2 100755
--- a/data/debcheck/debcheck
+++ b/data/debcheck/debcheck
@@ -7,6 +7,7 @@ use strict;
use Dpkg::ErrorHandling;
use Dpkg::Version;
+use HTML::Escape qw{escape_html};
report_options (quiet_warnings => 1);
my $VERBOSE = -t 1; # output is a terminal
@@ -619,7 +620,7 @@ sub malformedbuilddepends($$$$) {
my ($pkg, $prob, $maint, $section) = @_;
print FILE "<h1>Malformed Build-Depends</h1><p>";
for my $dependency (keys %$prob) {
- print FILE "Package declares a build time dependency on '$dependency' which is broken Syntax.<br>\n";
+ print FILE "Package declares a build time dependency on '" . html_escape($dependency) . "' which is broken Syntax.<br>\n";
};
registerSummaryItem('malformed-build-depends', undef, $pkg, $maint);
registerSummaryItem('main-only-malformed-build-depends', undef, $pkg, $maint) if ($section eq 'main');
@@ -628,7 +629,7 @@ sub malformedbuilddepends($$$$) {
sub standardversion($$$$) {
my ($pkg, $prob, $maint, $section) = @_;
print FILE "<h1>Standards-Version</h1><p>";
- print FILE "Package has a Standards-Version of $prob which is pretty old.<br>\n";
+ print FILE "Package has a Standards-Version of " . html_escape($prob) . " which is pretty old.<br>\n";
registerSummaryItem('Standards-Version', undef, $pkg, $maint);
registerSummaryItem('main-only-Standards-Version', undef, $pkg, $maint) if ($section eq 'main');
};
@@ -636,7 +637,7 @@ sub standardversion($$$$) {
sub wrongstandardversion($$$$) {
my ($pkg, $prob, $maint, $section) = @_;
print FILE "<h1>Wrong-Standards-Version-Syntax</h1><p>";
- print FILE "Package has a Standards-Version of '$prob' which is broken Syntax.<br>\n";
+ print FILE "Package has a Standards-Version of '" . html_escape($prob) . "' which is broken Syntax.<br>\n";
registerSummaryItem('Wrong-Standards-Version-Syntax', undef, $pkg, $maint);
registerSummaryItem('main-only-Wrong-Standards-Version-Syntax', undef, $pkg, $maint) if ($section eq 'main');
};
@@ -677,7 +678,7 @@ EOF
my $them = $2;
for my $arch (keys %{$prob->{$depType}->{$depTarget}->{$partdepTarget}->{$priType}}) {
if ($depTarget eq $partdepTarget) {
- print FILE "Package is $me and has a $depType on $depTarget which is $them on $arch.<br>\n";
+ print FILE "Package is " . html_escape($me and has a $depType on $depTarget which is $them on $arch.<br>\n";
} else {
print FILE "Package is $me and has a $depType on $partdepTarget (within $depTarget) which is $them on $arch.<br>\n";
};
--
2.14.1
