Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 648250 - Review Request: ghc-xss-sanitize - Sanitize untrusted HTML to prevent XSS attacks
Summary: Review Request: ghc-xss-sanitize - Sanitize untrusted HTML to prevent XSS att...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Narasimhan
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: ghc-tagsoup
Blocks: 630303
TreeView+ depends on / blocked
 
Reported: 2010-10-31 17:05 UTC by Ben Boeckel
Modified: 2012-12-29 19:33 UTC (History)
4 users (show)

Fixed In Version: ghc-xss-sanitize-0.2.6-1.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-13 00:48:54 UTC
Type: ---
Embargoed:
lakshminaras2002: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Ben Boeckel 2010-10-31 17:05:59 UTC
Spec URL: http://benboeckel.net/packaging/ghc-xss-sanitize/ghc-xss-sanitize.spec
SRPM URL: http://benboeckel.net/packaging/ghc-xss-sanitize/ghc-xss-sanitize-0.2.2-1.fc14.src.rpm
Description:
Run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS
to prevent XSS attacks. see README.md
for more details.

% lintmock fedora-14-x86_64-bb
ghc-xss-sanitize.src: W: spelling-error Summary(en_US) untrusted -> entrusted, untrustful, mistrusted
ghc-xss-sanitize.src: W: spelling-error %description -l en_US untrusted -> entrusted, untrustful, mistrusted
ghc-xss-sanitize.src: W: spelling-error %description -l en_US SanitizeXSS -> Sanitizes, Sanitize, Sanitarians
ghc-xss-sanitize.src: W: spelling-error %description -l en_US sanitizeXSS -> sanitizes, sanitize, sanitarians
ghc-xss-sanitize.src: W: strange-permission xss-sanitize-0.2.2.tar.gz 0640L
ghc-xss-sanitize.src: W: strange-permission ghc-xss-sanitize.spec 0640L
ghc-xss-sanitize.x86_64: W: spelling-error Summary(en_US) untrusted -> entrusted, untrustful, mistrusted
ghc-xss-sanitize.x86_64: W: spelling-error %description -l en_US untrusted -> entrusted, untrustful, mistrusted
ghc-xss-sanitize.x86_64: W: spelling-error %description -l en_US SanitizeXSS -> Sanitizes, Sanitize, Sanitarians
ghc-xss-sanitize.x86_64: W: spelling-error %description -l en_US sanitizeXSS -> sanitizes, sanitize, sanitarians
ghc-xss-sanitize-devel.x86_64: W: spelling-error Summary(en_US) untrusted -> entrusted, untrustful, mistrusted
ghc-xss-sanitize-devel.x86_64: W: spelling-error %description -l en_US untrusted -> entrusted, untrustful, mistrusted
ghc-xss-sanitize-devel.x86_64: W: spelling-error %description -l en_US SanitizeXSS -> Sanitizes, Sanitize, Sanitarians
ghc-xss-sanitize-devel.x86_64: W: spelling-error %description -l en_US sanitizeXSS -> sanitizes, sanitize, sanitarians
ghc-xss-sanitize-prof.x86_64: E: devel-dependency ghc-xss-sanitize-devel
ghc-xss-sanitize-prof.x86_64: W: spelling-error Summary(en_US) untrusted -> entrusted, untrustful, mistrusted
ghc-xss-sanitize-prof.x86_64: W: spelling-error %description -l en_US untrusted -> entrusted, untrustful, mistrusted
ghc-xss-sanitize-prof.x86_64: W: spelling-error %description -l en_US SanitizeXSS -> Sanitizes, Sanitize, Sanitarians
ghc-xss-sanitize-prof.x86_64: W: spelling-error %description -l en_US sanitizeXSS -> sanitizes, sanitize, sanitarians
ghc-xss-sanitize-prof.x86_64: W: no-documentation
ghc-xss-sanitize-prof.x86_64: W: devel-file-in-non-devel-package /usr/lib64/ghc-6.12.3/xss-sanitize-0.2.2/libHSxss-sanitize-0.2.2_p.a
4 packages and 0 specfiles checked; 1 errors, 20 warnings.

Comment 1 Jens Petersen 2011-06-22 01:42:24 UTC
Needed by yesod-form.

Comment 2 Narasimhan 2011-08-13 16:41:11 UTC
[+]MUST: rpmlint must be run on every package. The output should be posted in the review.
 rpmlint  -i ~/rpmbuild/RPMS/i686/ghc-xss-sanitize-devel-0.2.2-1.fc14.i686.rpm ~/rpmbuild/RPMS/i686/ghc-xss-sanitize-0.2.2-1.fc14.i686.rpm ~/rpmbuild/SRPMS/ghc-xss-sanitize-0.2.2-1.fc14.src.rpm
ghc-xss-sanitize-devel.i686: W: spelling-error Summary(en_US) untrusted -> entrusted, untrustful, unadjusted
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize-devel.i686: W: spelling-error %description -l en_US untrusted -> entrusted, untrustful, unadjusted
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize-devel.i686: W: spelling-error %description -l en_US SanitizeXSS -> Sanitizes, Sanitize, Sanitarians
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize-devel.i686: W: spelling-error %description -l en_US sanitizeXSS -> sanitizes, sanitize, sanitarians
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.i686: W: spelling-error Summary(en_US) untrusted -> entrusted, untrustful, unadjusted
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.i686: W: spelling-error %description -l en_US untrusted -> entrusted, untrustful, unadjusted
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.i686: W: spelling-error %description -l en_US SanitizeXSS -> Sanitizes, Sanitize, Sanitarians
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.i686: W: spelling-error %description -l en_US sanitizeXSS -> sanitizes, sanitize, sanitarians
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.src: W: spelling-error Summary(en_US) untrusted -> entrusted, untrustful, unadjusted
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.src: W: spelling-error %description -l en_US untrusted -> entrusted, untrustful, unadjusted
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.src: W: spelling-error %description -l en_US SanitizeXSS -> Sanitizes, Sanitize, Sanitarians
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.src: W: spelling-error %description -l en_US sanitizeXSS -> sanitizes, sanitize, sanitarians
The value of this tag appears to be misspelled. Please double-check.

ghc-xss-sanitize.src: W: strange-permission xss-sanitize-0.2.2.tar.gz 0640L
A file that you listed to include in your package has strange permissions.
Usually, a file should have 0644 permissions.

3 packages and 0 specfiles checked; 0 errors, 13 warnings.

[+]MUST: The package must be named according to the Package Naming Guidelines.
[+]MUST: The spec file name must match the base package %{name}, in the format %{name}.spec
[+]MUST: The package must meet the Packaging Guidelines.
        Naming-Yes
        Version-release - Matches
        License - OK, BSD license
        No prebuilt external bits - OK
        Spec legibity - OK
        Package template - OK, upgrade to cabal2spec 0.24
        Arch support - OK
        Libexecdir - OK
        rpmlint - yes
        changelogs - OK
        Source url tag  - OK, validated.
        Build Requires list - OK
        Summary and description - OK
        API documentation - OK, in devel package

[+]MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines.
Licensed as BSD.
[+]MUST: The License field in the package spec file must match the actual license.
[+]MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
LICENSE file is included.
[+]MUST: The spec file must be written in American English.
[+]MUST: The spec file for the package MUST be legible.
[+]MUST: The sources used to build the package must match the upstream source,as provided in the spec URL. Reviewers should use md5sum for this task.

md5sum  ~/Downloads/xss-sanitize-0.2.2.tar.gz 
964a0ae57d704df855cf6f329ed1738e  ~/Downloads/xss-sanitize-0.2.2.tar.gz

md5sum ghc-xss-sanitize-0.2.2-1.fc14.src/xss-sanitize-0.2.2.tar.gz 
964a0ae57d704df855cf6f329ed1738e  ghc-xss-sanitize-0.2.2-1.fc14.src/xss-sanitize-0.2.2.tar.gz

[+]MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture.
Built on i686
[+]MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in
ExcludeArch.
[+]MUST: All build dependencies must be listed in BuildRequires.
[NA]MUST: The spec file MUST handle locales properly using the %find_lang macro
[NA]MUST: Packages stores shared library files must call ldconfig in %post and %postun.
[+]MUST: Packages must NOT bundle copies of system libraries.
Checked with rpmquery --list
[NA]MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review.
[+]MUST: A package must own all directories that it creates.
Checked with rpmquery --whatprovides
[+]MUST: A Fedora package must not list a file more than once in the spec file's %files listings.
[+]MUST: Permissions on files must be set properly.
Checked with ls -lR
[+]MUST: Each package must consistently use macros.
[+]MUST: The package must contain code, or permissable content.
[+]MUST: Large documentation files must go in a -doc subpackage.
[+]MUST: If a package includes something as %doc, it must not affect the runtime of the application.
[+]MUST: Header files must be in a -devel package.
[NA]MUST: Static libraries must be in a -static package.
[NA]MUST: If a package contains library files with a suffix (e.g.libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package.
[+]MUST: devel packages must require the base package using a fully versioned dependency: Requires: {name} = %{version}-%{release}

rpm -e ghc-xss-sanitize
error: Failed dependencies:
	ghc-xss-sanitize = 0.2.2-1.fc14 is needed by (installed) ghc-xss-sanitize-devel-0.2.2-1.fc14.i686

[NA]MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.
[NA]MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section
[+]MUST: Packages must not own files or directories already owned by other packages.
[+]MUST: All filenames in rpm packages must be valid UTF-8.

Should items
[+]SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
[+]SHOULD: The reviewer should test that the package functions as described.
Installed the built packages. Installs fine. Loaded module Text.HTML.SanitizeXSS. Loads fine.
[+]SHOULD: If scriptlets are used, those scriptlets must be sane.

cabal2spec-diff is not OK. Please upgrade to cabal2spec-0.24.

APPROVED.

Comment 3 Jens Petersen 2011-10-03 03:38:32 UTC
We need this package for the yesod webframework so submitting this
on behalf of Ben who is away right now.


New Package SCM Request
=======================
Package Name: ghc-xss-sanitize
Short Description: Sanitize untrusted HTML to prevent XSS attacks
Owners: mathstuf, petersen, narasim
Branches: f16 f15 f14 el6
InitialCC: haskell-sig

Comment 4 Gwyn Ciesla 2011-10-03 12:18:28 UTC
Git done (by process-git-requests).

Comment 5 Fedora Update System 2011-10-04 01:51:40 UTC
ghc-xss-sanitize-0.2.6-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/ghc-xss-sanitize-0.2.6-1.fc15

Comment 6 Fedora Update System 2011-10-04 01:51:48 UTC
ghc-xss-sanitize-0.2.6-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ghc-xss-sanitize-0.2.6-1.fc16

Comment 7 Fedora Update System 2011-10-04 01:51:56 UTC
ghc-xss-sanitize-0.2.6-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/ghc-xss-sanitize-0.2.6-1.fc14

Comment 8 Fedora Update System 2011-10-04 20:48:32 UTC
ghc-xss-sanitize-0.2.6-1.fc16 has been pushed to the Fedora 16 testing repository.

Comment 9 Fedora Update System 2011-10-13 00:48:54 UTC
ghc-xss-sanitize-0.2.6-1.fc14 has been pushed to the Fedora 14 stable repository.

Comment 10 Fedora Update System 2011-10-13 00:54:09 UTC
ghc-xss-sanitize-0.2.6-1.fc15 has been pushed to the Fedora 15 stable repository.

Comment 11 Fedora Update System 2011-10-13 04:32:34 UTC
ghc-xss-sanitize-0.2.6-1.fc16 has been pushed to the Fedora 16 stable repository.

Comment 12 Fedora Update System 2012-12-13 03:12:56 UTC
ghc-xss-sanitize-0.3.2-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/ghc-xss-sanitize-0.3.2-1.el6

Comment 13 Fedora Update System 2012-12-29 19:33:03 UTC
ghc-xss-sanitize-0.3.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.


Note You need to log in before you can comment on or make changes to this bug.