diff options
| author | Joey Hess <joey@kodama.kitenet.net> | 2008-11-05 14:47:50 -0500 |
|---|---|---|
| committer | Joey Hess <joey@kodama.kitenet.net> | 2008-11-05 14:47:50 -0500 |
| commit | 6fbe214d91ca9be37d149a1e5ba11590490959aa (patch) | |
| tree | dd9f4ea2f4c00de87d8808a8737e4b6148ab8851 | |
| parent | 7e95723dadfe2a11fcd2463f2e8adf579fdc64db (diff) | |
fixed one security problem, two more need review
| -rw-r--r-- | doc/plugins/po.mdwn | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn index 7ac1b3f0f..ba293f262 100644 --- a/doc/plugins/po.mdwn +++ b/doc/plugins/po.mdwn @@ -227,8 +227,14 @@ Security checks - `refreshpofiles` uses `system()`, whose args have to be checked more thoroughly to prevent any security issue (command injection, etc.). + > Always pass `system()` a list of parameters to avoid the shell. + > I've checked in a change fixing that. --[[Joey]] - `refreshpofiles` and `refreshpot` create new files; this may need some checks, e.g. using `IkiWiki::prep_writefile()` +- Can any sort of directives be put in po files that will + cause mischief (ie, include other files, run commands, crash gettext, + whatever). +- Any security issues on running po4a on untrusted content? gettext/po4a rough corners -------------------------- |