[Pkg-xfce-devel] Bug#889905: xfce4-notifyd: privacy-invasive logging of notification content

Sergio Gelato Sergio.Gelato at astro.su.se
Thu Feb 8 16:05:43 UTC 2018


Package: xfce4-notifyd
Version: 0.3.4-1
Severity: important
Tags: security

xfce4-notifyd has bugs (known upstream) in its handling of markup, more
specifically of unintentional markup <like this> &this. This bug report
is about the way it logs occurrences of such (non-)markup.

Here is a (redacted) example of an entry I've seen in my logs due to user
activity. I don't want, and my users almost certainly don't want me, to see
this much detail: it's privacy-invasive. I'll filter out these messages
but feel that they shouldn't be sent to syslog in the first place. Not in so
much detail, and not for every notification that happens to contain an
ampersand or a < bracket.

Feb  8 HH:MM:SS HOST xfce4-notifyd[PID]: Failed to set text 'NAME: Dear all, the C&G working group is organising a brainstorming session on the topic of TOPIC. Here you can find a preliminary compilation of papers that might be interesting to discuss. You are more than welcome to attend the meeting (DATE @ TIME), and to actively participate to the session by suggesting subtopics, papers, comments, etc. The document should be editable. Let me know if you cannot edit it. Here it is the link: FQDN/fil...' from markup due to error parsing markup: Error on line 1: Entity did not end with a semicolon; most likely you used an ampersand character without intending to start an entity - escape ampersand as &



More information about the Pkg-xfce-devel mailing list