summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@kodama.kitenet.net>2008-11-05 14:47:50 -0500
committerJoey Hess <joey@kodama.kitenet.net>2008-11-05 14:47:50 -0500
commit6fbe214d91ca9be37d149a1e5ba11590490959aa (patch)
treedd9f4ea2f4c00de87d8808a8737e4b6148ab8851
parent7e95723dadfe2a11fcd2463f2e8adf579fdc64db (diff)
fixed one security problem, two more need review
-rw-r--r--doc/plugins/po.mdwn6
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn
index 7ac1b3f0f..ba293f262 100644
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -227,8 +227,14 @@ Security checks
- `refreshpofiles` uses `system()`, whose args have to be checked more
thoroughly to prevent any security issue (command injection, etc.).
+ > Always pass `system()` a list of parameters to avoid the shell.
+ > I've checked in a change fixing that. --[[Joey]]
- `refreshpofiles` and `refreshpot` create new files; this may need
some checks, e.g. using `IkiWiki::prep_writefile()`
+- Can any sort of directives be put in po files that will
+ cause mischief (ie, include other files, run commands, crash gettext,
+ whatever).
+- Any security issues on running po4a on untrusted content?
gettext/po4a rough corners
--------------------------