Debian Bug report logs - #898822
Detect data encoded/embedded in HTML "Data" URI schemes

version graph

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <[email protected]>; Source for lintian is src:lintian (PTS, buildd, popcon).

Reported by: Bastien ROUCARIES <[email protected]>

Date: Wed, 16 May 2018 09:27:02 UTC

Severity: wishlist

Tags: moreinfo

Found in version lintian/2.5.86

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#898822: [RFC] Detect data embeded image in html like file
Reply-To: Bastien ROUCARIES <[email protected]>, [email protected]
Resent-From: Bastien ROUCARIES <[email protected]>
Resent-To: [email protected]
Resent-CC: Debian Lintian Maintainers <[email protected]>
X-Loop: [email protected]
Resent-Date: Wed, 16 May 2018 14:15:08 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 898822
X-Debian-PR-Package: lintian
X-Debian-PR-Keywords: moreinfo
References: <CAE2SPAa5-AroTRZH1ak1ZhzrPyncm2PVUaNhkawTopEBg9+byw@mail.gmail.com> <1526463195.2092690.1373911888.61560B04@webmail.messagingengine.com> <CAE2SPAYz8khz5LcFG0qZ6dSTbEs_QQPHf1cMLji6fdnV+MaW3g@mail.gmail.com> <CAE2SPAa5-AroTRZH1ak1ZhzrPyncm2PVUaNhkawTopEBg9+byw@mail.gmail.com>
X-Debian-PR-Source: lintian
Received: via spool by [email protected] id=B898822.152648005212774
          (code B ref 898822); Wed, 16 May 2018 14:15:08 +0000
Received: (at 898822) by bugs.debian.org; 16 May 2018 14:14:12 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.1-bugs.debian.org_2005_01_02
	(2015-04-28) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.6 required=4.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FOURLA,FREEMAIL_FROM,HAS_BUG_NUMBER,
	MURPHY_DRUGS_REL8,RCVD_IN_DNSWL_NONE,SPF_PASS,TXREP autolearn=ham
	autolearn_force=no version=3.4.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 5; hammy, 150; neutral, 227; spammy,
	0. spammytokens: hammytokens:0.000-+--U*lamby, 0.000-+--sk:lamby@d,
	0.000-+--sk:lambyd, 0.000-+--lambydebianorg, [email protected]
Received: from mail-ot0-x243.google.com ([2607:f8b0:4003:c0f::243])
	by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.89)
	(envelope-from <[email protected]>)
	id 1fIxC0-0003JZ-Dj
	for [email protected]; Wed, 16 May 2018 14:14:12 +0000
Received: by mail-ot0-x243.google.com with SMTP id l22-v6so1080994otj.0
        for <[email protected]>; Wed, 16 May 2018 07:14:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=kqwfdhlCmSL+iMrrQoWdXJbN25b+ffH2grYv386RAbs=;
        b=YFhG5oEjEiQEUcfAkaoVaQR/szklfXgedxKoKm5YLGLNInQ81/auK9yq24QgBmdC0M
         8re3qoMINIRN2oBaFABPCzRDZSRK0/gsABbdIDzw0NarOoD3WD8l+EYLW2xcjmy93SXg
         pAq396/BsoPGmYpP5D9jIy4gGB69aym28oUpAALzhaSgW+g0Tr2fyp+pJhJqCaaErG6n
         4V9PrJ6ig9lJ1Zt9vej/zKrQI29nmKrYRbs7aI/E+Cx7njxOgRIeTlLS9Do4ZzdftSDL
         QMh38bAyRnmitgAuO2ZONRUctTyagO9c1KcqcTH+cx+BZ4+k7bzyZW8fY7NQ9Xp2WmJ0
         9SRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=kqwfdhlCmSL+iMrrQoWdXJbN25b+ffH2grYv386RAbs=;
        b=l5rUaHNaT2EZzqk9T02/9Sa+iytjS6v3IlcswoydyJ1nKBWw5JQwoLxPgIUGcb2lw6
         jmua33AWXj0HiBkhTPxVtL0nfCX2bSRZdp602pip0GtQ8lJS1nLsTnsT+wvGQo2h2WH7
         qOQUqsm901bPcsuYZn0awF7AWZ4FIBsw+5PQo7y+jo76Ter15dNTr1q92VMcDy3G3boK
         X9YnrCtLoa9cDV5ob4Z85wfRqJC5GjnDa7mRYrPKYE9ktnuxBbZ4EOElMXGbRSQy3c0N
         5nnVXvn719vHPvwuHKRM8iOnfnc1QkPsIlMgglHKZXJ68UDpYrjjlYl5e3bZ6URF7FdW
         OnCQ==
X-Gm-Message-State: ALKqPweDDOXT++1YqGHqF03+5Bb+ufOs7SQgdL1vgo6hEFaFdmedZL1H
	QH8X7WdTgclVWU1dcfZeQcDc+1BF+1xsiQ7VZbg=
X-Google-Smtp-Source: AB8JxZrSqbAF+8gWylCKUWhrGqiOOyV/Z1WgQfEWpUxxBOEKFvKHoBHwxYjvltJ4K1NrhHEYwLhUQ0q0x5fwmsZ9dLw=
X-Received: by 2002:a9d:16ee:: with SMTP id s43-v6mr756280ots.290.1526480050301;
 Wed, 16 May 2018 07:14:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.208.33 with HTTP; Wed, 16 May 2018 07:13:39 -0700 (PDT)
In-Reply-To: <CAE2SPAYz8khz5LcFG0qZ6dSTbEs_QQPHf1cMLji6fdnV+MaW3g@mail.gmail.com>
From: Bastien ROUCARIES <[email protected]>
Date: Wed, 16 May 2018 16:13:39 +0200
Message-ID: <CAE2SPAbu5v0KkpGqvUFEvy7mAXgjkcoFYwpMzizx3_SsSLSMKg@mail.gmail.com>
To: Chris Lamb <[email protected]>
Cc: [email protected]
Content-Type: text/plain; charset="UTF-8"

On Wed, May 16, 2018 at 4:00 PM, Bastien ROUCARIES
<[email protected]> wrote:
> On Wed, May 16, 2018 at 11:33 AM, Chris Lamb <[email protected]> wrote:
>> retitle 898822 Detect data encoded/embedded in HTML "Data" URI schemes
>> severity 898822 wishlist
>> tags 898822 + moreinfo
>> thanks
>>
>> Hi Bastien,
>>
>> [..]
>>
>> I think some concrete examples here would be useful in triaging/
>> prioritising this, as well as working out whether it is feasible or
>> sensible :)
> Code search with request
> (https://codesearch.debian.net/search?q=src%3D%22data%3A&page=1&perpkg=1)
> give 75 packages affected:
> asciidoctor
> cacti
> chemical-structures
> chromium-browser
> ckeditor
> classified-ads
> diffoscope
> edbrowse
> firefox
> firefox-esr
> fontforge
> fossil
> gitinspector
> golang-github-microcosm-cc-bluemonday
> html5lib
> icingaweb2
> ikiwiki
> ipython
> jmol
> juli
> kmplayer
> kopano-webapp
> landslide
> libcgi-application-plugin-dbiprofile-perl
> libxml-atom-fromowl-perl
> libxml-atom-owl-perl
> lua-apr
> matplotlib
> mayavi2
> mediawiki
> nbconvert
> node-normalize.css
> notmuch
> oca-core
> openlp
> opennebula
> openscad
> pandoc
> php-doctrine-bundle
> php-getid3
> php-kdyby-events
> phpmyadmin
> python-cartopy
> python-darkslide
> python-mne
> python-pweave
> python-pydub
> python-pyqrcode
> python-qtconsole
> qtwebengine-opensource-src
> rails
> rapid-photo-downloader
> r-cran-knitr
> r-cran-repr
> r-cran-rmarkdown
> rdkit
> request-tracker4
> roundcube
> rss-bridge
> rubocop
> sagemath
> sass-spec
> simplesamlphp
> spip
> sympa
> thunderbird
> trac
> turbogears2-doc
> veusz
> virtuoso-opensource
> vistrails
> woo
> xhtml2pdf
> yt
> zotero-standalone-build
>
> Some are clearly abuse see:
> 1. https://sources.debian.org/src/chemical-structures/2.2.dfsg.0-12/debian/patches/privacy.patch/?hl=10#L10
> (render package undistributable one of sourceforge logo)
> 2. https://codesearch.debian.net/show?file=lua-apr_0.23.2.dfsg-4%2Fsrc%2Fbase64.c&line=33
> FTBFS not prefered modification source
> 3. https://sources.debian.org/src/rubocop/0.52.1+dfsg-1/debian/patches/04-adjust-tests-due-to-rubocop-logo-removal-from-package.diff/?hl=25#L25
> (remove logo as file not as included base64 => RC undistributable)
> 4.https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/debian/patches/2003_avoid_privacy_breach.patch/?hl=59#L59
> Border line could use the same trick that I have done in
> libjs-normalize.css to generate with js the image (not prefered source
> of modification)
>
> I have not checked all the package.
>
> another risk is to carry forbidden image like porn of think like this
> is this stuff. I prefer lintian to signal pedantically in order to
> manually check acceptance.
>
> Better safe than sorry

This request is also interesting:
https://codesearch.debian.net/search?q=href%3D%22data%3A&perpkg=1&page=1

>
> Bastien
>
>
>>
>> Best wishes,
>>
>> --
>>       ,''`.
>>      : :'  :     Chris Lamb
>>      `. `'`      [email protected] / chris-lamb.co.uk
>>        `-

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 11:46:22 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.