On Wed, May 16, 2018 at 11:33 AM, Chris Lamb <la...@debian.org> wrote: > retitle 898822 Detect data encoded/embedded in HTML "Data" URI schemes > severity 898822 wishlist > tags 898822 + moreinfo > thanks > > Hi Bastien, > > [..] > > I think some concrete examples here would be useful in triaging/ > prioritising this, as well as working out whether it is feasible or > sensible :) Code search with request (https://codesearch.debian.net/search?q=src%3D%22data%3A&page=1&perpkg=1) give 75 packages affected: asciidoctor cacti chemical-structures chromium-browser ckeditor classified-ads diffoscope edbrowse firefox firefox-esr fontforge fossil gitinspector golang-github-microcosm-cc-bluemonday html5lib icingaweb2 ikiwiki ipython jmol julia kmplayer kopano-webapp landslide libcgi-application-plugin-dbiprofile-perl libxml-atom-fromowl-perl libxml-atom-owl-perl lua-apr matplotlib mayavi2 mediawiki nbconvert node-normalize.css notmuch oca-core openlp opennebula openscad pandoc php-doctrine-bundle php-getid3 php-kdyby-events phpmyadmin python-cartopy python-darkslide python-mne python-pweave python-pydub python-pyqrcode python-qtconsole qtwebengine-opensource-src rails rapid-photo-downloader r-cran-knitr r-cran-repr r-cran-rmarkdown rdkit request-tracker4 roundcube rss-bridge rubocop sagemath sass-spec simplesamlphp spip sympa thunderbird trac turbogears2-doc veusz virtuoso-opensource vistrails woo xhtml2pdf yt zotero-standalone-build
Some are clearly abuse see: 1. https://sources.debian.org/src/chemical-structures/2.2.dfsg.0-12/debian/patches/privacy.patch/?hl=10#L10 (render package undistributable one of sourceforge logo) 2. https://codesearch.debian.net/show?file=lua-apr_0.23.2.dfsg-4%2Fsrc%2Fbase64.c&line=33 FTBFS not prefered modification source 3. https://sources.debian.org/src/rubocop/0.52.1+dfsg-1/debian/patches/04-adjust-tests-due-to-rubocop-logo-removal-from-package.diff/?hl=25#L25 (remove logo as file not as included base64 => RC undistributable) 4.https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/debian/patches/2003_avoid_privacy_breach.patch/?hl=59#L59 Border line could use the same trick that I have done in libjs-normalize.css to generate with js the image (not prefered source of modification) I have not checked all the package. another risk is to carry forbidden image like porn of think like this is this stuff. I prefer lintian to signal pedantically in order to manually check acceptance. Better safe than sorry Bastien > > Best wishes, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org / chris-lamb.co.uk > `-
