Bug#1010066: prayer: Depends on private functions that are hidden with tidy 5.8
tisdag 31 maj 2022 kl. 16:11:03 CEST skrev Trent W. Buck: > https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/html_secure_tid > y.c/#L274-L334 > https://api.html-tidy.org/tidy/tidylib_api_5.8.0/group__parser__h.html#ga46 > 769d54f0a1bcfd801d60c34eb563e7 > > Is it sufficient to simply change "prvTidyDiscardElement to > "TY_DiscardElement"? > > The TY_DiscardElement docs say "TY_Private". > Does that mean "you're not allowed to call this, either"? You mean TY_(DiscardElement)? TY_() is simply a macro that prepends "prvTidy" to the function name, but it's internal, which is why Prayer called it as prTidyDiscardElement(). What changed, however, is that those internal functions are now hidden so you _can't_ link them. At the same time, there is a public version now, tidyDiscardElement(), but there is no public tidyAddAttribute(), which is where we get stuck. > If so, we can build prayer without tidy at all. > Prayer will then use an older in-house HTML sanitizer: > > https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/Config/?hl=16#L16 > > https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/Makefile/#L27-L > 35 Well, not automatically. It's not bundled with the Prayer source. I don't know if it can be found anywhere. > The whole purpose of html_secure*.c is to "safely" embed an attacker's > untrusted HTML (the email) inside trusted HTML (the webmail app). > The code predates things like Content-Security-Policy (added circa 2013), > so it's probably *NEVER* safe, regardless of whether tidy is or isn't used. > > Prayer is abandoned upstream since the 201x's. > I can't find a direct citation, but here's the last time the "homepage" > existed: > > https://web.archive.org/web/20161129034822/http://www-uxsup.csx.cam.ac.uk:8 > 0/~dpc22/prayer/ > https://web.archive.org/web/20130701184507/http://www-uxsup.csx.cam.ac.uk/% > 7Edpc22/ Yeah, it may be time to let Prayer go. It's not exactly modern, and I don't even use it myself. -- Magnus Holmgrenholmg...@debian.org Debian Developer
Bug#1010066: prayer: Depends on private functions that are hidden with tidy 5.8
Boyuan Yang wrote: > Source: prayer > Version: 1.3.5-dfsg1-8 > Severity: grave > X-Debbugs-CC: holmg...@debian.org > User: tidy-ht...@packages.debian.org > Usertags: tidy5.8 > > your package uses some of Tidy's unexported internal > functions that are explicitly hidden in Tidy 5.8 [...] > I believe this change is intentional by upstream, and will not be changed in > the forseeable future. Please consider fixing the build by removing the use of > internal Tidy functions. Thanks! Hi, I am a nosy bystander. I eyeballed these two references: https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/html_secure_tidy.c/#L274-L334 https://api.html-tidy.org/tidy/tidylib_api_5.8.0/group__parser__h.html#ga46769d54f0a1bcfd801d60c34eb563e7 Is it sufficient to simply change "prvTidyDiscardElement to "TY_DiscardElement"? The TY_DiscardElement docs say "TY_Private". Does that mean "you're not allowed to call this, either"? If so, we can build prayer without tidy at all. Prayer will then use an older in-house HTML sanitizer: https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/Config/?hl=16#L16 https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/Makefile/#L27-L35 The whole purpose of html_secure*.c is to "safely" embed an attacker's untrusted HTML (the email) inside trusted HTML (the webmail app). The code predates things like Content-Security-Policy (added circa 2013), so it's probably *NEVER* safe, regardless of whether tidy is or isn't used. Prayer is abandoned upstream since the 201x's. I can't find a direct citation, but here's the last time the "homepage" existed: https://web.archive.org/web/20161129034822/http://www-uxsup.csx.cam.ac.uk:80/~dpc22/prayer/ https://web.archive.org/web/20130701184507/http://www-uxsup.csx.cam.ac.uk/%7Edpc22/
Bug#1010066: prayer: Depends on private functions that are hidden with tidy 5.8
Source: prayer Version: 1.3.5-dfsg1-8 Severity: grave X-Debbugs-CC: holmg...@debian.org User: tidy-ht...@packages.debian.org Usertags: tidy5.8 Dear Debian prayer package maintainer, When preparing the upload of package tidy-html5 v5.8 onto Debian Unstable, I noticed that your package FTBFS with the new tidy library: /usr/bin/ld: ../session/session.a(html_secure_tidy.o): in function `tidy_tree': ./session/html_secure_tidy.c:311: undefined reference to `prvTidyDiscardElement' /usr/bin/ld: ./session/html_secure_tidy.c:322: undefined reference to `prvTidyRemoveAttribute' /usr/bin/ld: ./session/html_secure_tidy.c:329: undefined reference to `prvTidyAddAttribute' collect2: error: ld returned 1 exit status This is because that your package uses some of Tidy's unexported internal functions that are explicitly hidden in Tidy 5.8: /* Foul layering volation: Tidy doesn't export these functions */ extern void prvTidyDiscardElement( TidyDoc doc, TidyNode node); extern void prvTidyRemoveAttribute( TidyDoc doc, TidyNode node, TidyAttr attr); extern void prvTidyAddAttribute( TidyDoc doc, TidyNode node, const char *attr, const char *value); I believe this change is intentional by upstream, and will not be changed in the forseeable future. Please consider fixing the build by removing the use of internal Tidy functions. Thanks! Best, Boyuan Yang signature.asc Description: This is a digitally signed message part