[Pkg-xfce-devel] Bug#889905: Bug#889905: xfce4-notifyd: privacy-invasive logging of notification content

Sergio Gelato Sergio.Gelato at astro.su.se
Fri Feb 9 08:57:39 UTC 2018

* Yves-Alexis Perez [2018-02-08 20:38:01 +0100]:
> Hi, thanks for the bug report. Can you provide the upstream bug report on
> this? I can't reproduce with:
> notify-send '<like this> &this' on xfce4-notifyd 0.4.1-1 so maybe it's been
> fixed meanwhile.

The upstream bug numbers are #10027 and #14073. Yes, 0.4.1 includes some of
the associated fixes, although as noted in
nothing short of xfce4-notifyd parsing the notification string itself will
actually solve the problem, and this planned for 0.4.2 at the earliest.

Apparently, only the body is subject to markup interpretation. Try
	notify-send 'markup test' '<like this> &this'
On Debian stretch, this yields:
  xfce4-notifyd[2039]: Failed to set text '<like this> &this' from markup due to error parsing markup: Error on line 1 char 19: Odd character '>', expected a '=' after attribute name 'this' of element 'like'
(and the body isn't shown to the user, only logged).

> First, it's definitely not xfce4-notifyd sending this to syslog. More likely
> it's just output to stdout/stderr and systemd forwards it to journal and the
> syslog.

The systemd unit file is part of this Debian package, and the information is
being disclosed by xfce4-notifyd. That xfce4-notifyd doesn't call syslog()
directly is just an implementation detail as far as I'm concerned.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20180209/3aacd290/attachment.sig>

More information about the Pkg-xfce-devel mailing list