diff options
Diffstat (limited to 'doc/plugins')
-rw-r--r-- | doc/plugins/po.mdwn | 308 | ||||
-rw-r--r-- | doc/plugins/po/security.mdwn | 206 | ||||
-rw-r--r-- | doc/plugins/write.mdwn | 64 |
3 files changed, 573 insertions, 5 deletions
diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn new file mode 100644 index 000000000..7165015ab --- /dev/null +++ b/doc/plugins/po.mdwn @@ -0,0 +1,308 @@ +[[!template id=plugin name=po core=0 author="[[intrigeri]]"]] +[[!tag type/format]] + +This plugin adds support for multi-lingual wikis, translated with +gettext, using [po4a](http://po4a.alioth.debian.org/). + +It depends on the Perl `Locale::Po4a::Po` library (`apt-get install po4a`). + +[[!toc levels=2]] + +Introduction +============ + +A language is chosen as the "master" one, and any other supported +language is a "slave" one. + +A page written in the "master" language is a "master" page. It can be +of any page type supported by ikiwiki, except `po`. It does not have to be +named a special way: migration to this plugin does not imply any page +renaming work. + +Example: `bla/page.mdwn` is a "master" Markdown page written in +English; if `usedirs` is enabled, it is rendered as +`bla/page/index.en.html`, else as `bla/page.en.html`. + +Any translation of a "master" page into a "slave" language is called +a "slave" page; it is written in the gettext PO format. `po` is now +a page type supported by ikiwiki. + +Example: `bla/page.fr.po` is the PO "message catalog" used to +translate `bla/page.mdwn` into French; if `usedirs` is enabled, it is +rendered as `bla/page/index.fr.html`, else as `bla/page.fr.html` + +(In)Compatibility +================= + +This plugin does not support the `indexpages` mode. If you don't know +what it is, you probably don't care. + + +Configuration +============= + +Supported languages +------------------- + +`po_master_language` is used to set the "master" language in +`ikiwiki.setup`, such as: + + po_master_language => { 'code' => 'en', 'name' => 'English' } + +`po_slave_languages` is used to set the list of supported "slave" +languages, such as: + + po_slave_languages => { 'fr' => 'Français', + 'es' => 'Castellano', + 'de' => 'Deutsch', + } + +Decide which pages are translatable +----------------------------------- + +The `po_translatable_pages` setting configures what pages are +translatable. It is a [[ikiwiki/PageSpec]], so you have lots of +control over what kind of pages are translatable. + +The `.po` files are not considered as being translatable, so you don't need to +worry about excluding them explicitly from this [[ikiwiki/PageSpec]]. + +Internal links +-------------- + +The `po_link_to` option in `ikiwiki.setup` is used to decide how +internal links should be generated, depending on web server features +and site-specific preferences. + +### Default linking behavior + +If `po_link_to` is unset, or set to `default`, ikiwiki's default +linking behavior is preserved: `\[[destpage]]` links to the master +language's page. + +### Link to current language + +If `po_link_to` is set to `current`, `\[[destpage]]` links to the +`destpage`'s version written in the current page's language, if +available, *i.e.*: + +* `foo/destpage/index.LL.html` if `usedirs` is enabled +* `foo/destpage.LL.html` if `usedirs` is disabled + +### Link to negotiated language + +If `po_link_to` is set to `negotiated`, `\[[page]]` links to the +negotiated preferred language, *i.e.* `foo/page/`. + +(In)compatibility notes: + +* if `usedirs` is disabled, it does not make sense to set `po_link_to` + to `negotiated`; this option combination is neither implemented + nor allowed. +* if the web server does not support Content Negotiation, setting + `po_link_to` to `negotiated` will produce a unusable website. + + +Server support +============== + +Apache +------ + +Using Apache `mod_negotiation` makes it really easy to have Apache +serve any page in the client's preferred language, if available. +This is the default Debian Apache configuration. + +When `usedirs` is enabled, one has to set `DirectoryIndex index` for +the wiki context. + +Setting `DefaultLanguage LL` (replace `LL` with your default MIME +language code) for the wiki context can help to ensure +`bla/page/index.en.html` is served as `Content-Language: LL`. + +lighttpd +-------- + +lighttpd unfortunately does not support content negotiation. + +**FIXME**: does `mod_magnet` provide the functionality needed to + emulate this? + + +Usage +===== + +Templates +--------- + +When `po_link_to` is not set to `negotiated`, one should replace some +occurrences of `BASEURL` with `HOMEPAGEURL` to get correct links to +the wiki homepage. + +The `ISTRANSLATION` and `ISTRANSLATABLE` variables can be used to +display things only on translatable or translation pages. + +### Display page's versions in other languages + +The `OTHERLANGUAGES` loop provides ways to display other languages' +versions of the same page, and the translations' status. + +One typically adds the following code to `templates/page.tmpl`: + + <TMPL_IF NAME="OTHERLANGUAGES"> + <div id="otherlanguages"> + <ul> + <TMPL_LOOP NAME="OTHERLANGUAGES"> + <li> + <a href="<TMPL_VAR NAME="URL">"><TMPL_VAR NAME="LANGUAGE"></a> + <TMPL_UNLESS NAME="MASTER"> + (<TMPL_VAR NAME="PERCENT"> %) + </TMPL_UNLESS> + </li> + </TMPL_LOOP> + </ul> + </div> + </TMPL_IF> + +The following variables are available inside the loop (for every page in): + +* `URL` - url to the page +* `CODE` - two-letters language code +* `LANGUAGE` - language name (as defined in `po_slave_languages`) +* `MASTER` - is true (1) if, and only if the page is a "master" page +* `PERCENT` - for "slave" pages, is set to the translation completeness, in percents + +### Display the current translation status + +The `PERCENTTRANSLATED` variable is set to the translation +completeness, expressed in percent, on "slave" pages. + +One can use it this way: + + <TMPL_IF NAME="ISTRANSLATION"> + <div id="percenttranslated"> + <TMPL_VAR NAME="PERCENTTRANSLATED"> + </div> + </TMPL_IF> + +Additional PageSpec tests +------------------------- + +This plugin enhances the regular [[ikiwiki/PageSpec]] syntax with some +additional tests that are documented [[here|ikiwiki/pagespec/po]]. + +Automatic PO file update +------------------------ + +Committing changes to a "master" page: + +1. updates the POT file and the PO files for the "slave" languages; + the updated PO files are then put under version control; +2. triggers a refresh of the corresponding HTML slave pages. + +Also, when the plugin has just been enabled, or when a page has just +been declared as being translatable, the needed POT and PO files are +created, and the PO files are checked into version control. + +Discussion pages and other sub-pages +------------------------------------ + +Discussion should happen in the language in which the pages are +written for real, *i.e.* the "master" one. If discussion pages are +enabled, "slave" pages therefore link to the "master" page's +discussion page. + +Likewise, "slave" pages are not supposed to have sub-pages; +[[WikiLinks|wikilink]] that appear on a "slave" page therefore link to +the master page's sub-pages. + +Translating +----------- + +One can edit the PO files using ikiwiki's CGI (a message-by-message +interface could also be implemented at some point). + +If [[tips/untrusted_git_push]] is setup, one can edit the PO files in one's +preferred `$EDITOR`, without needing to be online. + +Markup languages support +------------------------ + +Markdown is well supported. Some other markup languages supported by +ikiwiki mostly work, but some pieces of syntax are not rendered +correctly on the slave pages: + +* [[reStructuredText|rst]]: anonymous hyperlinks and internal + cross-references +* [[wikitext]]: conversion of newlines to paragraphs +* [[creole]]: verbatim text is wrapped, tables are broken +* [[html]] and LaTeX: not supported yet; the dedicated po4a modules + could be used to support them, but they would need a security audit +* other markup languages have not been tested. + +Security +======== + +[[./security]] contains a detailed security analysis of this plugin +and its dependencies. + +When using po4a older than 0.35, it is recommended to uninstall +`Text::WrapI18N` (Debian package `libtext-wrapi18n-perl`), in order to +avoid a potential denial of service. + +TODO +==== + +Better links +------------ + +### Page title in links + +Using the fix to +[[bugs/pagetitle_function_does_not_respect_meta_titles]] from +[[intrigeri]]'s `meta` branch, the generated links' text is based on +the page titles set with the [[meta|plugins/meta]] plugin. This has to +be merged into ikiwiki upstream, though. + +Robustness tests +---------------- + +### Enabling/disabling the plugin + +* enabling the plugin with `po_translatable_pages` set to blacklist: **OK** +* enabling the plugin with `po_translatable_pages` set to whitelist: **OK** +* enabling the plugin without `po_translatable_pages` set: **OK** +* disabling the plugin: **OK** + +### Changing the plugin config + +* adding existing pages to `po_translatable_pages`: **OK** +* removing existing pages from `po_translatable_pages`: **OK** +* adding a language to `po_slave_languages`: **OK** +* removing a language from `po_slave_languages`: **OK** +* changing `po_master_language`: **OK** +* replacing `po_master_language` with a language previously part of + `po_slave_languages`: needs two rebuilds, but **OK** (this is quite + a perverse test actually) + +### Creating/deleting/renaming pages + +All cases of master/slave page creation/deletion/rename, both via RCS +and via CGI, have been tested. + +### Misc + +* general test with `usedirs` disabled: **OK** +* general test with `indexpages` enabled: **not OK** +* general test with `po_link_to=default` with `userdirs` enabled: **OK** +* general test with `po_link_to=default` with `userdirs` disabled: **OK** + +Misc. bugs +---------- + +Documentation +------------- + +Maybe write separate documentation depending on the people it targets: +translators, wiki administrators, hackers. This plugin may be complex +enough to deserve this. diff --git a/doc/plugins/po/security.mdwn b/doc/plugins/po/security.mdwn new file mode 100644 index 000000000..318083669 --- /dev/null +++ b/doc/plugins/po/security.mdwn @@ -0,0 +1,206 @@ +[[!toc levels=2]] + +---- + +# Probable holes + +_(The list of things to fix.)_ + +## po4a-gettextize + +* po4a CVS 2009-01-16 +* Perl 5.10.0 + +`po4a-gettextize` uses more or less the same po4a features as our +`refreshpot` function. + +Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly +errors out, complaining it was not able to detect the input charset; +it leaves no incomplete file on disk. I therefore had to pretend the +input was in UTF-8, as does the po plugin. + + zzuf -c -s 13 -r 0.1 \ + po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \ + -m GPL-3 -p GPL-3.pot + +Crashes with: + + Malformed UTF-8 character (UTF-16 surrogate 0xdfa4) in substitution + iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1449. + Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm + line 1449. + +An incomplete pot file is left on disk. Unfortunately Po.pm tells us +nothing about the place where the crash happens. + +> It's fairly standard perl behavior when fed malformed utf-8. As long +> as it doesn't crash ikiwiki, it's probably acceptable. Ikiwiki can +> do some similar things itself when fed malformed utf-8 (doesn't +> crash tho) --[[Joey]] + +---- + +# Potential gotchas + +_(Things not to do.)_ + + +## Blindly activating more po4a format modules + +The format modules we want to use have to be checked, as not all are +safe (e.g. the LaTeX module's behaviour is changed by commands +included in the content); they may use regexps generated from +the content. + +---- + +# Hopefully non-holes + +_(AKA, the assumptions that will be the root of most security holes...)_ + +## PO file features + +No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files) +directive that can be put in po files is supposed to cause mischief +(ie, include other files, run commands, crash gettext, whatever). + +## gettext + +### Security history + +The only past security issue I could find in GNU gettext is +[CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966), +*i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283): +the autopoint and gettextize scripts in the GNU gettext package (1.14 +and later versions) may allow local users to overwrite files via +a symlink attack on temporary files. + +This plugin would not have allowed to exploit this bug, as it does not +use, either directly or indirectly, the faulty scripts. + +Note: the lack of found security issues can either indicate that there +are none, or reveal that no-one ever bothered to find or publish them. + +### msgmerge + +`refreshpofiles()` runs this external program. + +* I was not able to crash it with `zzuf`. +* I could not find any past security hole. + +### msgfmt + +`isvalidpo()` runs this external program. + +* I was not able to make it behave badly using zzuf: it exits cleanly + when too many errors are detected. +* I could not find any past security hole. + +## po4a + +### Security history + +The only past security issue I could find in po4a is +[CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462): +`lib/Locale/Po4a/Po.pm` in po4a before 0.32 allowed local users to +overwrite arbitrary files via a symlink attack on the +gettextization.failed.po temporary file. + +This plugin would not have allowed to exploit this bug, as it does not +use, either directly or indirectly, the faulty `gettextize` function. + +Note: the lack of found security issues can either indicate that there +are none, or reveal that no-one ever bothered to find or publish them. + +### General feeling + +Are there any security issues on running po4a on untrusted content? + +To say the least, this issue is not well covered, at least publicly: + +* the documentation does not talk about it; +* grep'ing the source code for `security` or `trust` gives no answer. + +On the other hand, a po4a developer answered my questions in +a convincing manner, stating that processing untrusted content was not +an initial goal, and analysing in detail the possible issues. +The following analysis was done with his help. + +### Details + +* the core (`Po.pm`, `Transtractor.pm`) should be safe +* po4a source code was fully checked for other potential symlink + attacks, after discovery of one such issue +* the only external program run by the core is `diff`, in `Po.pm` (in + parts of its code we don't use) +* `Locale::gettext` is only used to display translated error messages +* Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to + think that `Encode` is not safe" +* Nicolas François has "no reason to think that `Encode::Guess` is not + safe". The po plugin nevertheless avoids using it by defining the + input charset (`file_in_charset`) before asking `TransTractor` to + read any file. NB: this hack depends on po4a internals. + +#### Locale::Po4a::Text + +* does not run any external program +* only `do_paragraph()` builds regexp's that expand untrusted + variables; according to [[Joey]], this is "Freaky code, but seems ok + due to use of `quotementa`". + +#### Text::WrapI18N + +`Text::WrapI18N` can cause DoS +([Debian bug #470250](http://bugs.debian.org/470250)). +It is optional, and we do not need the features it provides. + +If a recent enough po4a (>=2009-01-15 CVS, which will probably be +released as 0.35) is installed, this module's use is fully disabled. +Else, the wiki administrator is warned about this at runtime. + +#### Term::ReadKey + +`Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a +works nicely without it. But the po4a Debian package recommends +`libterm-readkey-perl`, so it will probably be installed on most +systems using the po plugin. + +`Term::ReadKey` has too far reaching implications for us to +be able to guarantee anything wrt. security. + +If a recent enough po4a (>=2009-01-15 CVS, which will probably be +released as 0.35) is installed, this module's use is fully disabled. + +#### Fuzzing input + +##### po4a-translate + +* po4a CVS 2009-01-16 +* Perl 5.10.0 + +`po4a-translate` uses more or less the same po4a features as our +`filter` function. + +Without specifying an input charset, same behaviour as +`po4a-gettextize`, so let's specify UTF-8 as input charset as of now. + +`LICENSES` is a 21M file containing 100 concatenated copies of all the +files in `/usr/share/common-licenses/`; I had no existing PO file or +translated versions at hand, which renders these tests +quite incomplete. + + zzuf -cv -s 0:10 -r 0.001:0.3 \ + po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \ + -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr + +... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step, +against some kind of infinite loop, deadlock, or any similar beast. + +The root of this bug lies in `Text::WrapI18N`, see the corresponding +section. + + +---- + +# Fixed holes + diff --git a/doc/plugins/write.mdwn b/doc/plugins/write.mdwn index 99eea3d16..ef14f18db 100644 --- a/doc/plugins/write.mdwn +++ b/doc/plugins/write.mdwn @@ -321,6 +321,41 @@ This hook should avoid directly redirecting the user to a signin page, since it's sometimes used to test to see which pages in a set of pages a user can edit. +### cansave + + hook(type => "cansave", id => "foo", call => \&cansave); + +This hook can be used to implement arbitrary access methods to control +when a page being edited can be saved using the web interface (commits +from revision control bypass it). + +When a page is about to be saved, each registered cansave hook is +called in turn, and passed the page name, the edited content, a CGI +object and a session object. + +The return value of a cansave hook is interpreted the same as for the +canedit hook. + +### canremove + + hook(type => "canremove", id => "foo", call => \&canremove); + +This hook can be used to implement arbitrary access methods to control when +a page can be removed using the web interface (commits from revision control +bypass it). It works exactly like the `canedit` hook. + +### canrename + + hook(type => "canrename", id => "foo", call => \&canrename); + +This hook can be used to implement arbitrary access methods to control when +a page can be renamed using the web interface (commits from revision control +bypass it). It works exactly like the `canedit` and `canremove` hook, +but is passed: +* a CGI object +* a session object +* the named parameters `src`, `srcfile`, `dest` and `destfile`. + ### checkcontent hook(type => "checkcontent", id => "foo", call => \&checkcontent); @@ -380,14 +415,29 @@ This hook is called whenever ikiwiki normally saves its state, just before the state is saved. The function can save other state, modify values before they're saved, etc. -### renamepage +### renamelink - hook(type => "renamepage", id => "foo", call => \&renamepage); + hook(type => "renamelink", id => "foo", call => \&renamelink); This hook is called by the [[plugins/rename]] plugin when it renames -something. The hook is passed named parameters: `page`, `oldpage`, -`newpage`, and `content`, and should try to modify the content to reflect -the name change. For example, by converting links to point to the new page. +something, once per page linking to the renamed page's old location. +The hook is passed named parameters: `page`, `oldpage`, `newpage`, and +`content`, and should try to modify the content of `page` to reflect +the name change. For example, by converting links to point to the +new page. + +### rename + + hook(type => "rename", id => "foo", call => \&renamepages); + +When a page or set of pages is renamed, the referenced function is +called, and is passed: + +* a reference to an array of hashes with keys: `src`, `srcfile`, + `dest`, `destfile`, `required`. Such a hook function can modify + the array. +* a CGI object +* a session object ### getsetup @@ -525,6 +575,10 @@ the id can be controled by the user. Logs a debugging message. These are supressed unless verbose mode is turned on. +#### `warning($)` + +Logs a warning message. + #### `error($;$)` Aborts with an error message. If the second parameter is passed, it is a |