Bug#767327: b.d.o: wrong package links in "reassigned" message

2016-03-28 Thread Don Armstrong 
Thanks! I've applied both of these patches now.


-- 
Don Armstrong  https://www.donarmstrong.com

My spelling ability, or rather the lack thereof, is one of the wonders
of the modern world.

Bug#767327: b.d.o: wrong package links in "reassigned" message

2016-03-27 Thread Frank Lichtenheld 
Package: bugs.debian.org
Followup-For: Bug #767327

I've prepared a testcase and a patch for the issue.

Please see the attached commits.

Regards,
  Frank

-- System Information:
Debian Release: 8.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From c6904460b23cb1e80987624dca932b959fb4d6b2 Mon Sep 17 00:00:00 2001
From: Frank Lichtenheld 
Date: Sun, 27 Mar 2016 15:24:15 +0200
Subject: [PATCH 1/2] Extend bugreport test cases to check the output of some
 control messages

This exposes #767327 (wrong package links in "reassigned" message)
as a test failure.
---
 t/07_bugreport.t | 41 +++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/t/07_bugreport.t b/t/07_bugreport.t
index 3600e1c..80dfc92 100644
--- a/t/07_bugreport.t
+++ b/t/07_bugreport.t
@@ -1,7 +1,7 @@
 # -*- mode: cperl;-*-
 
 
-use Test::More tests => 8;
+use Test::More tests => 14;
 
 use warnings;
 use strict;
@@ -90,7 +90,44 @@ print STDERR $mech->content();
 ok($mech->content() !~ qr/[\x01\x02\x03\x05\x06\x07]/i,
'No unescaped states');
 
-
+# now test the output of some control commands
+my @control_commands =
+ (
+  reassign_foo => {command => 'reassign',
+		   value   => 'bar',
+		   regex => qr{bug reassigned from package foo to bar},
+		  },
+  forwarded_foo  => {command => 'forwarded',
+			 value   => 'https://foo.invalid/bugs?id=1',
+			 regex   => qr{Set bug forwarded-to-address to https://foo\.invalid/bugs\?id=1;>https://foo\.invalid/bugs\?id=1\.},
+			},
+  clone=> {command => 'clone',
+		   value   => '-1',
+		   regex   => qr{Bug 1 cloned as bug 2},
+		  },
+ );
+
+while (my ($command,$control_command) = splice(@control_commands,0,2)) {
+  # just check to see that control doesn't explode
+  $control_command->{value} = " $control_command->{value}" if length $control_command->{value}
+and $control_command->{value} !~ /^\s/;
+  send_message(to => 'control@bugs.something',
+	   headers => [To   => 'control@bugs.something',
+			   From => 'foo@bugs.something',
+			   Subject => "Munging a bug with $command",
+			  ],
+	   body => <{command} 1$control_command->{value}
+thanks
+EOF
+  ;
+  # Now test that the output has changed accordingly
+  $mech->get_ok('http://localhost:'.$port.'/?bug=1',
+		'Page received ok');
+  like($mech->content(), $control_command->{regex},
+   'Page matches regex');
+}
 
 # Other tests for bugs in the page should be added here eventually
 
-- 
2.1.4

>From 6176d46de938ccb848b14ed8ca1098313bf7678f Mon Sep 17 00:00:00 2001
From: Frank Lichtenheld 
Date: Sun, 27 Mar 2016 15:26:20 +0200
Subject: [PATCH 2/2] Bugreport: Fix problems with reassign message

* Matched hardcoded "Bug" instead of $config{bug} (which leads
  to problems at least in the test suite)
* Use package_links() wrong. package_links() already adds HTML.
  (Closes: #767327)
---
 Debbugs/CGI/Bugreport.pm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Debbugs/CGI/Bugreport.pm b/Debbugs/CGI/Bugreport.pm
index b1be2ed..8ebbfe8 100644
--- a/Debbugs/CGI/Bugreport.pm
+++ b/Debbugs/CGI/Bugreport.pm
@@ -395,10 +395,10 @@ sub handle_record{
 		  {$1.$2.(bug_links(bug=>$3)).$4.
 			   english_join([map {bug_links(bug=>$_)} (split /\,?\s+(?:and\s+)?/, $5)])}eo;
 	  # Add links to reassigned packages
-	  $output =~ s{(Bug\sreassigned\sfrom\spackage\s(?:[\`']|\&\#39;))([^']+?)((?:'|\&\#39;|\\;)
+	  $output =~ s{($config{bug}\sreassigned\sfrom\spackage\s(?:[\`']|\&\#39;))([^']+?)((?:'|\&\#39;|\\;)
\sto\s(?:[\`']|\&\#39;|\\;))([^']+?)((?:'|\&\#39;|\\;))}
-	  {$1.q($2).$3.
-   q($4).$5}exo;
+	  {$1.package_links(package=>$2).$3.
+   package_links(package=>$4).$5}exo;
 	  if (defined $time) {
 	   $output .= ' ('.strftime('%a, %d %b %Y %T GMT',gmtime($time)).') ';
 	  }
-- 
2.1.4

Bug#767327: b.d.o: wrong package links in reassigned message

2014-10-30 Thread Robert Bihlmeyer 
Package: bugs.debian.org

the
  Bug reassigned from package 'foo' to 'bar'.
message uses a defective href of
  
https://bugs.debian.org/cgi-bin/%3Ca%20href=%22pkgreport.cgi?package=foo%22%3Efoo%3C/a%3E
for the foo link. Looks like one sprinkling too many of magick HTML dust.

Live example here:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554538#6

I don't think XSS is possible, though.

br,
-- 
Robert Bihlmeyer


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org