[Git][security-tracker-team/security-tracker][master] 2 commits: Fix links with extra trailing characters (Closes: #994897)

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Thu Jul 17 10:16:26 BST 2025 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
086e3363 by Sylvain Beucler at 2025-07-12T14:30:50+02:00
Fix links with extra trailing characters (Closes: #994897)

Proper URL validation is pretty complex, so we're only adding an
heuristic against common issues (sentence-closing period or
parenthesis without space right after an URL).

Examples:
- CVE-2019-11841: "See https://github.com/golang/go/issues/41200."
- CVE-2025-3576: "(cf. https://web.mit.edu/kerberos/krb5-1.21/)"
- CVE-2024-36462: "in https://github.com/.../036f3e14be3, first"
- CVE-2024-27280: "bugfix for https://bugs.ruby-lang.org/issues/19389:"
- CVE-2009-0676: "in <https://bugzilla.redhat.com/show_bug.cgi?id=486305>"

False-positives analysis:
- '.,:' technically valid in URLs, but no valid occurrences in the tracker;
- ')>' should be URL-encoded in the non-hostname part of the URL.

- - - - -
f4da61d1 by Emilio Pozuelo Monfort at 2025-07-17T09:16:22+00:00
Merge branch '994897-fix-url-links' into 'master'

Fix links with extra trailing characters (Closes: #994897)

See merge request security-tracker-team/security-tracker!234
- - - - -


1 changed file:

- lib/python/web_support.py


Changes:

=====================================
lib/python/web_support.py
=====================================
@@ -486,8 +486,8 @@ def make_pre(lines):
     pre = []
     append = pre.append
     for line in lines:
-        # turn https:// and http:// into links
-        results=re.search("(.*)(?P<url>https?://[^\s]+)(.*)", line)
+        # turn https:// and http:// into links, leaving out trailing '.,:)>'
+        results=re.search("(.*)(?P<url>https?://[^\s]+[^\s.,:)>])(.*)", line)
         if results:
             for group in results.groups():
                 if group.startswith('http://') or group.startswith('https://'):



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2adc4a74271696617904fe9d35fdd9e975b396c...f4da61d1ca868b3418714643497a8f302ab6150c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2adc4a74271696617904fe9d35fdd9e975b396c...f4da61d1ca868b3418714643497a8f302ab6150c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250717/381683f5/attachment.htm>

More information about the debian-security-tracker-commits mailing list