On Wed, May 16, 2018 at 4:00 PM, Bastien ROUCARIES <roucaries.bast...@gmail.com> wrote: > On Wed, May 16, 2018 at 11:33 AM, Chris Lamb <la...@debian.org> wrote: >> retitle 898822 Detect data encoded/embedded in HTML "Data" URI schemes >> severity 898822 wishlist >> tags 898822 + moreinfo >> thanks >> >> Hi Bastien, >> >> [..] >> >> I think some concrete examples here would be useful in triaging/ >> prioritising this, as well as working out whether it is feasible or >> sensible :) > Code search with request > (https://codesearch.debian.net/search?q=src%3D%22data%3A&page=1&perpkg=1) > give 75 packages affected: > asciidoctor > cacti > chemical-structures > chromium-browser > ckeditor > classified-ads > diffoscope > edbrowse > firefox > firefox-esr > fontforge > fossil > gitinspector > golang-github-microcosm-cc-bluemonday > html5lib > icingaweb2 > ikiwiki > ipython > jmol > juli > kmplayer > kopano-webapp > landslide > libcgi-application-plugin-dbiprofile-perl > libxml-atom-fromowl-perl > libxml-atom-owl-perl > lua-apr > matplotlib > mayavi2 > mediawiki > nbconvert > node-normalize.css > notmuch > oca-core > openlp > opennebula > openscad > pandoc > php-doctrine-bundle > php-getid3 > php-kdyby-events > phpmyadmin > python-cartopy > python-darkslide > python-mne > python-pweave > python-pydub > python-pyqrcode > python-qtconsole > qtwebengine-opensource-src > rails > rapid-photo-downloader > r-cran-knitr > r-cran-repr > r-cran-rmarkdown > rdkit > request-tracker4 > roundcube > rss-bridge > rubocop > sagemath > sass-spec > simplesamlphp > spip > sympa > thunderbird > trac > turbogears2-doc > veusz > virtuoso-opensource > vistrails > woo > xhtml2pdf > yt > zotero-standalone-build > > Some are clearly abuse see: > 1. > https://sources.debian.org/src/chemical-structures/2.2.dfsg.0-12/debian/patches/privacy.patch/?hl=10#L10 > (render package undistributable one of sourceforge logo) > 2. > https://codesearch.debian.net/show?file=lua-apr_0.23.2.dfsg-4%2Fsrc%2Fbase64.c&line=33 > FTBFS not prefered modification source > 3. > https://sources.debian.org/src/rubocop/0.52.1+dfsg-1/debian/patches/04-adjust-tests-due-to-rubocop-logo-removal-from-package.diff/?hl=25#L25 > (remove logo as file not as included base64 => RC undistributable) > 4.https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/debian/patches/2003_avoid_privacy_breach.patch/?hl=59#L59 > Border line could use the same trick that I have done in > libjs-normalize.css to generate with js the image (not prefered source > of modification) > > I have not checked all the package. > > another risk is to carry forbidden image like porn of think like this > is this stuff. I prefer lintian to signal pedantically in order to > manually check acceptance. > > Better safe than sorry
This request is also interesting: https://codesearch.debian.net/search?q=href%3D%22data%3A&perpkg=1&page=1 > > Bastien > > >> >> Best wishes, >> >> -- >> ,''`. >> : :' : Chris Lamb >> `. `'` la...@debian.org / chris-lamb.co.uk >> `-