Your message dated Thu, 17 Apr 2003 19:43:12 -0700 with message-id <[EMAIL PROTECTED]> and subject line done has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 21 Feb 2003 10:21:59 +0000 >From [EMAIL PROTECTED] Fri Feb 21 04:21:57 2003 Return-path: <[EMAIL PROTECTED]> Received: from head.linpro.no [80.232.36.1] by master.debian.org with esmtp (Exim 3.12 1 (Debian)) id 18mAJZ-0006aJ-00; Fri, 21 Feb 2003 04:21:57 -0600 Received: from python.linpro.no ([80.232.36.148]) by head.linpro.no with esmtp (Exim 4.12 #1 (Debian)) id 18mAJX-0008Fs-00; Fri, 21 Feb 2003 11:21:55 +0100 Received: from tore by python.linpro.no with local (Exim 3.35 #1 (Debian)) id 18mAJX-0005CT-00; Fri, 21 Feb 2003 11:21:55 +0100 From: Tore Anderson <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: www.debian.org: Inproper handling of special HTML characters in package descriptions X-Mailer: reportbug 1.50 Date: Fri, 21 Feb 2003 11:21:55 +0100 Message-Id: <[EMAIL PROTECTED]> X-Spam-Score: 1.4 (+) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *18mAJX-0008Fs-00*meLSmHvSW16* Delivered-To: [EMAIL PROTECTED] X-Spam-Status: No, hits=1.2 required=4.0 tests=HAS_PACKAGE,PORN_4,SPAM_PHRASE_00_01 version=2.44 X-Spam-Level: * Package: www.debian.org Version: N/A; reported 2003-02-21 Severity: normal The scripts generating the packages' pages on <http://packages.debian.org> fails to convert the characters "<" and ">" to their respective HTML entities, such as "<" and ">". It is likely that other characters are also affected by this. To see an example of this, take a look at <http://packages.debian.org/unstable/games/scummvm.html>. The description in question reads: ".. at <URL: http://scummvm.sf.net/compatibility.php>. .." Mozilla show this on the web pages like this: ".. at http://scummvm.sf.net/compatibility.php>. .." and the HTML source reads: ".. at <URL: <a href="http://scummvm.sf.net/compatibility.php>">http://scummvm.sf.net/compatibility.php></a>. .." Obviously, the special characters should have been replaced by their respective HTML entities. I would assume that a malicious uploader could use packages.debian.org for an XSS attack, should he be inclined to do so. I don't believe that's likely to happen, though, so no security tag added. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux python.linpro.no 2.4.20-xfs #1 Wed Dec 11 20:26:47 CET 2002 i686 Locale: LANG=C, LC_CTYPE=no_NO.ISO-8859-1 --------------------------------------- Received: (at 181872-done) by bugs.debian.org; 18 Apr 2003 02:43:11 +0000 >From [EMAIL PROTECTED] Thu Apr 17 21:43:11 2003 Return-path: <[EMAIL PROTECTED]> Received: from host-66-81-203-104.rev.o1.com (catalunya) [66.81.203.104] by master.debian.org with esmtp (Exim 3.12 1 (Debian)) id 196LqI-0002wQ-00; Thu, 17 Apr 2003 21:43:11 -0500 Received: from kraai by catalunya with local (Exim 3.35 #1 (Debian)) id 196LqK-0000AY-00 for <[EMAIL PROTECTED]>; Thu, 17 Apr 2003 19:43:12 -0700 Date: Thu, 17 Apr 2003 19:43:12 -0700 From: Matt Kraai <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: done Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i Sender: Matt Kraai <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Status: No, hits=-1.2 required=4.0 tests=SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,USER_AGENT, USER_AGENT_MUTT version=2.44 X-Spam-Level: Howdy, I committed a patch to escape HTML entities. Broken pages should be fixed after the next packages.d.o build. Matt -- Matt Kraai <[EMAIL PROTECTED]> Debian GNU/Linux Peon