Acknowledgement sent
to Bastien ROUCARIES <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Wed, 16 May 2018 09:27:04 GMT) (full text, mbox, link).
Subject: [RFC] Detect data embeded image in html like file
Date: Wed, 16 May 2018 11:23:26 +0200
Package: lintian
Version: 2.5.86
Severity: minor
Hi,
This is maybe a hot topic, so ask for comment
A not so well know feature of html format is the DATA uri scheme that
allow to embded some stuff like image in html file (see
https://en.wikipedia.org/wiki/Data_URI_scheme).
I am sure that base64 encoded stuff like image are not considered as
prefered form of modification, and I believe that lintian should
detect in source file this kind of use, in order to help ftpmaster
work.
They are also security implication and I think it is good to detect
this kind of stuff.
It is easy to implement:
- first move to files.pm privacy-breach logic detection to common
library (this one I need help)
- detect the base64 encoding in privacy-breach logic
- warn pedantically in files.pm for base64 and error in cruft.pm
Any comments ?
Bastien
Acknowledgement sent
to Chris Lamb <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Wed, 16 May 2018 09:36:02 GMT) (full text, mbox, link).
Subject: Re: Bug#898822: [RFC] Detect data embeded image in html like file
Date: Wed, 16 May 2018 10:33:15 +0100
retitle 898822 Detect data encoded/embedded in HTML "Data" URI schemes
severity 898822 wishlist
tags 898822 + moreinfo
thanks
Hi Bastien,
[..]
I think some concrete examples here would be useful in triaging/
prioritising this, as well as working out whether it is feasible or
sensible :)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
Changed Bug title to 'Detect data encoded/embedded in HTML "Data" URI schemes' from '[RFC] Detect data embeded image in html like file'.
Request was from Chris Lamb <[email protected]>
to [email protected].
(Wed, 16 May 2018 09:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIES <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Wed, 16 May 2018 14:03:03 GMT) (full text, mbox, link).
Subject: Re: Bug#898822: [RFC] Detect data embeded image in html like file
Date: Wed, 16 May 2018 16:00:37 +0200
On Wed, May 16, 2018 at 11:33 AM, Chris Lamb <[email protected]> wrote:
> retitle 898822 Detect data encoded/embedded in HTML "Data" URI schemes
> severity 898822 wishlist
> tags 898822 + moreinfo
> thanks
>
> Hi Bastien,
>
> [..]
>
> I think some concrete examples here would be useful in triaging/
> prioritising this, as well as working out whether it is feasible or
> sensible :)
Code search with request
(https://codesearch.debian.net/search?q=src%3D%22data%3A&page=1&perpkg=1)
give 75 packages affected:
asciidoctor
cacti
chemical-structures
chromium-browser
ckeditor
classified-ads
diffoscope
edbrowse
firefox
firefox-esr
fontforge
fossil
gitinspector
golang-github-microcosm-cc-bluemonday
html5lib
icingaweb2
ikiwiki
ipython
jmol
julia
kmplayer
kopano-webapp
landslide
libcgi-application-plugin-dbiprofile-perl
libxml-atom-fromowl-perl
libxml-atom-owl-perl
lua-apr
matplotlib
mayavi2
mediawiki
nbconvert
node-normalize.css
notmuch
oca-core
openlp
opennebula
openscad
pandoc
php-doctrine-bundle
php-getid3
php-kdyby-events
phpmyadmin
python-cartopy
python-darkslide
python-mne
python-pweave
python-pydub
python-pyqrcode
python-qtconsole
qtwebengine-opensource-src
rails
rapid-photo-downloader
r-cran-knitr
r-cran-repr
r-cran-rmarkdown
rdkit
request-tracker4
roundcube
rss-bridge
rubocop
sagemath
sass-spec
simplesamlphp
spip
sympa
thunderbird
trac
turbogears2-doc
veusz
virtuoso-opensource
vistrails
woo
xhtml2pdf
yt
zotero-standalone-build
Some are clearly abuse see:
1. https://sources.debian.org/src/chemical-structures/2.2.dfsg.0-12/debian/patches/privacy.patch/?hl=10#L10
(render package undistributable one of sourceforge logo)
2. https://codesearch.debian.net/show?file=lua-apr_0.23.2.dfsg-4%2Fsrc%2Fbase64.c&line=33
FTBFS not prefered modification source
3. https://sources.debian.org/src/rubocop/0.52.1+dfsg-1/debian/patches/04-adjust-tests-due-to-rubocop-logo-removal-from-package.diff/?hl=25#L25
(remove logo as file not as included base64 => RC undistributable)
4.https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/debian/patches/2003_avoid_privacy_breach.patch/?hl=59#L59
Border line could use the same trick that I have done in
libjs-normalize.css to generate with js the image (not prefered source
of modification)
I have not checked all the package.
another risk is to carry forbidden image like porn of think like this
is this stuff. I prefer lintian to signal pedantically in order to
manually check acceptance.
Better safe than sorry
Bastien
>
> Best wishes,
>
> --
> ,''`.
> : :' : Chris Lamb
> `. `'` [email protected] / chris-lamb.co.uk
> `-
Acknowledgement sent
to Bastien ROUCARIES <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Wed, 16 May 2018 14:15:09 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.