[Secure-testing-team] Bug#602260: typo3-src-4.3: assorted embedded code copies
Simon McVittie
smcv at debian.org
Wed Nov 3 00:27:29 UTC 2010
Package: typo3-src-4.3
Version: 4.3.8-1
Severity: normal
Tags: security
typo3 has quite a few embedded code copies in contrib/. Some of these are
probably unavoidable, but extjs is packaged separately, and IMO swfobject
should be too.
typo3/contrib/flashmedia/swfobject
Not packaged, http://code.google.com/p/swfobject/, RFP #601160
Not really source code (it's been compressed with yui-compressor),
and no source code here for expressInstall.swf (#591969), but source
code exists.
typo3/contrib/extjs/
libjs-extjs 3.0.0
Appears to contain source code plus a compressed version
typo3/contrib/flashmedia/flvplayer.swf
Origin unknown, no source code, see #591969
typo3/contrib/flashmedia/player.swf
GPL'd with no source code present, see #591969
typo3/contrib/json
Services_JSON, not packaged
typo3/contrib/jsmin
A PHP port of jsmin, sadly non-free (#602250)
typo3/contrib/flashmedia/qtobject
Non-free by omission, but probably intended to be free software:
"There are no usage restrictions on this file, feel free to
distribute this code and associated files". I'll include this in
#602250.
typo3/contrib/RemoveXSS
Upstream website has disappeared, but at least it's Free (PD).
I can't help feeling that this is not how you avoid cross-site scripting,
though.
Code copies which have correctly been replaced by a symlink to packaged
versions include prototype and scriptaculous.
Regards,
S
More information about the Secure-testing-team
mailing list