- Package:
- src:prayer
- Source:
- prayer
- Submitter:
- Boyuan Yang
- Date:
- 2024-02-26 18:33:08 UTC
- Severity:
- grave
- Tags:
Dear Debian prayer package maintainer,
When preparing the upload of package tidy-html5 v5.8 onto Debian Unstable, I
noticed that your package FTBFS with the new tidy library:
================================================================
/usr/bin/ld: ../session/session.a(html_secure_tidy.o): in function
`tidy_tree':
./session/html_secure_tidy.c:311: undefined reference to
`prvTidyDiscardElement'
/usr/bin/ld: ./session/html_secure_tidy.c:322: undefined reference to
`prvTidyRemoveAttribute'
/usr/bin/ld: ./session/html_secure_tidy.c:329: undefined reference to
`prvTidyAddAttribute'
collect2: error: ld returned 1 exit status
================================================================
This is because that your package uses some of Tidy's unexported internal
functions that are explicitly hidden in Tidy 5.8:
================================================================
/* Foul layering volation: Tidy doesn't export these functions */
extern void prvTidyDiscardElement( TidyDoc doc, TidyNode node);
extern void prvTidyRemoveAttribute( TidyDoc doc, TidyNode node, TidyAttr
attr);
extern void prvTidyAddAttribute( TidyDoc doc, TidyNode node,
const char *attr, const char *value);
================================================================
I believe this change is intentional by upstream, and will not be changed in
the forseeable future. Please consider fixing the build by removing the use of
internal Tidy functions. Thanks!
Best,
Boyuan Yang
Boyuan Yang wrote: Hi, I am a nosy bystander. I eyeballed these two references: https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/html_secure_tidy.c/#L274-L334 https://api.html-tidy.org/tidy/tidylib_api_5.8.0/group__parser__h.html#ga46769d54f0a1bcfd801d60c34eb563e7 Is it sufficient to simply change "prvTidyDiscardElement to "TY_DiscardElement"? The TY_DiscardElement docs say "TY_Private". Does that mean "you're not allowed to call this, either"? If so, we can build prayer without tidy at all. Prayer will then use an older in-house HTML sanitizer: https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/Config/?hl=16#L16 https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/Makefile/#L27-L35 The whole purpose of html_secure*.c is to "safely" embed an attacker's untrusted HTML (the email) inside trusted HTML (the webmail app). The code predates things like Content-Security-Policy (added circa 2013), so it's probably *NEVER* safe, regardless of whether tidy is or isn't used. Prayer is abandoned upstream since the 201x's. I can't find a direct citation, but here's the last time the "homepage" existed: https://web.archive.org/web/20161129034822/http://www-uxsup.csx.cam.ac.uk:80/~dpc22/prayer/ https://web.archive.org/web/20130701184507/http://www-uxsup.csx.cam.ac.uk/%7Edpc22/
tisdag 31 maj 2022 kl. 16:11:03 CEST skrev Trent W. Buck: You mean TY_(DiscardElement)? TY_() is simply a macro that prepends "prvTidy" to the function name, but it's internal, which is why Prayer called it as prTidyDiscardElement(). What changed, however, is that those internal functions are now hidden so you _can't_ link them. At the same time, there is a public version now, tidyDiscardElement(), but there is no public tidyAddAttribute(), which is where we get stuck. Well, not automatically. It's not bundled with the Prayer source. I don't know if it can be found anywhere. Yeah, it may be time to let Prayer go. It's not exactly modern, and I don't even use it myself.
Dear submitter, as the package prayer has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1063872 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org. Debian distribution maintenance software pp. Thorsten Alteholz (the ftpmaster behind the curtain)