Your message dated Mon, 16 Dec 2019 13:50:09 +0000 with message-id <5df78b9192f03_611c2b0d019250d472...@godard.mail> and subject line Bug#872646 fixed in qa.debian.org has caused the Debian Bug report #872646, regarding qa.debian.org: [debcheck] Escape some HTML before outputting to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 872646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872646 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: qa.debian.org Severity: important Tags: patch Hi, Can someone review and release the attached patch: commit b57aea649dd0ee90d6f7e2bf44f6d6119ed71815 Author: Chris Lamb <ch...@chris-lamb.co.uk> Date: Sat Aug 19 10:59:07 2017 -0700 debcheck: Escape some HTML before outputting. Discovered as the parser doesn't support Build-Profiles, which end up as literal < and > chars in the error message: build time dependency on 'tcl <!nocheck>' which is broken Syntax ^ ^ Signed-off-by: Chris Lamb <la...@debian.org> data/debcheck/debcheck | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) Probably exploitable with: Standards-Version: <script>alert('XSS')</script> *g* Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `->From b57aea649dd0ee90d6f7e2bf44f6d6119ed71815 Mon Sep 17 00:00:00 2001 From: Chris Lamb <ch...@chris-lamb.co.uk> Date: Sat, 19 Aug 2017 10:59:07 -0700 Subject: [PATCH] debcheck: Escape some HTML before outputting. Discovered as the parser doesn't support Build-Profiles, which end up as literal < and > chars in the error message: build time dependency on 'tcl <!nocheck>' which is broken Syntax ^ ^ Signed-off-by: Chris Lamb <la...@debian.org> --- data/debcheck/debcheck | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/data/debcheck/debcheck b/data/debcheck/debcheck index 863afe9..aabffe2 100755 --- a/data/debcheck/debcheck +++ b/data/debcheck/debcheck @@ -7,6 +7,7 @@ use strict; use Dpkg::ErrorHandling; use Dpkg::Version; +use HTML::Escape qw{escape_html}; report_options (quiet_warnings => 1); my $VERBOSE = -t 1; # output is a terminal @@ -619,7 +620,7 @@ sub malformedbuilddepends($$$$) { my ($pkg, $prob, $maint, $section) = @_; print FILE "<h1>Malformed Build-Depends</h1><p>"; for my $dependency (keys %$prob) { - print FILE "Package declares a build time dependency on '$dependency' which is broken Syntax.<br>\n"; + print FILE "Package declares a build time dependency on '" . html_escape($dependency) . "' which is broken Syntax.<br>\n"; }; registerSummaryItem('malformed-build-depends', undef, $pkg, $maint); registerSummaryItem('main-only-malformed-build-depends', undef, $pkg, $maint) if ($section eq 'main'); @@ -628,7 +629,7 @@ sub malformedbuilddepends($$$$) { sub standardversion($$$$) { my ($pkg, $prob, $maint, $section) = @_; print FILE "<h1>Standards-Version</h1><p>"; - print FILE "Package has a Standards-Version of $prob which is pretty old.<br>\n"; + print FILE "Package has a Standards-Version of " . html_escape($prob) . " which is pretty old.<br>\n"; registerSummaryItem('Standards-Version', undef, $pkg, $maint); registerSummaryItem('main-only-Standards-Version', undef, $pkg, $maint) if ($section eq 'main'); }; @@ -636,7 +637,7 @@ sub standardversion($$$$) { sub wrongstandardversion($$$$) { my ($pkg, $prob, $maint, $section) = @_; print FILE "<h1>Wrong-Standards-Version-Syntax</h1><p>"; - print FILE "Package has a Standards-Version of '$prob' which is broken Syntax.<br>\n"; + print FILE "Package has a Standards-Version of '" . html_escape($prob) . "' which is broken Syntax.<br>\n"; registerSummaryItem('Wrong-Standards-Version-Syntax', undef, $pkg, $maint); registerSummaryItem('main-only-Wrong-Standards-Version-Syntax', undef, $pkg, $maint) if ($section eq 'main'); }; @@ -677,7 +678,7 @@ EOF my $them = $2; for my $arch (keys %{$prob->{$depType}->{$depTarget}->{$partdepTarget}->{$priType}}) { if ($depTarget eq $partdepTarget) { - print FILE "Package is $me and has a $depType on $depTarget which is $them on $arch.<br>\n"; + print FILE "Package is " . html_escape($me and has a $depType on $depTarget which is $them on $arch.<br>\n"; } else { print FILE "Package is $me and has a $depType on $partdepTarget (within $depTarget) which is $them on $arch.<br>\n"; }; -- 2.14.1
--- End Message ---
--- Begin Message ---Hello, Bug #872646 in qa.debian.org reported by you has been fixed in the Git repository. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/qa/qa/commit/f2f5cd9e74db6d63463276e7589b1e0149d09c8b ------------------------------------------------------------------------ debcheck: Do more HTML escaping Dependencies may end up containing "<" or ">" due to build profiles. This is very much not the way I prefer to programmatically output HTML, but rewriting debcheck to use a template-based approach would be a rather larger change. Based loosely on a partial patch from Chris Lamb. Closes: #872646 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/872646
--- End Message ---
