Secure testing team - Nov 2010 - Bug#602260: typo3-src-4.3: assorted embedded code copies

Package: typo3-src-4.3
Version: 4.3.8-1
Severity: normal
Tags: security

typo3 has quite a few embedded code copies in contrib/. Some of these are
probably unavoidable, but extjs is packaged separately, and IMO swfobject
should be too.

typo3/contrib/flashmedia/swfobject
    Not packaged, http://code.google.com/p/swfobject/, RFP #601160
    Not really source code (it''s been compressed with yui-compressor),
    and no source code here for expressInstall.swf (#591969), but source
    code exists.

typo3/contrib/extjs/
    libjs-extjs 3.0.0
    Appears to contain source code plus a compressed version

typo3/contrib/flashmedia/flvplayer.swf
    Origin unknown, no source code, see #591969

typo3/contrib/flashmedia/player.swf
    GPL''d with no source code present, see #591969

typo3/contrib/json
    Services_JSON, not packaged

typo3/contrib/jsmin
    A PHP port of jsmin, sadly non-free (#602250)

typo3/contrib/flashmedia/qtobject
    Non-free by omission, but probably intended to be free software:
    "There are no usage restrictions on this file, feel free to 
    distribute this code and associated files". I''ll include this
in
    #602250.

typo3/contrib/RemoveXSS
    Upstream website has disappeared, but at least it''s Free (PD).
    I can''t help feeling that this is not how you avoid cross-site
scripting,
    though.

Code copies which have correctly been replaced by a symlink to packaged
versions include prototype and scriptaculous.

Regards,
    S