From 6fbe214d91ca9be37d149a1e5ba11590490959aa Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kodama.kitenet.net>
Date: Wed, 5 Nov 2008 14:47:50 -0500
Subject: fixed one security problem, two more need review

---
 doc/plugins/po.mdwn | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'doc')

diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn
index 7ac1b3f0f..ba293f262 100644
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -227,8 +227,14 @@ Security checks
 
 - `refreshpofiles` uses `system()`, whose args have to be checked more
   thoroughly to prevent any security issue (command injection, etc.).
+  > Always pass `system()` a list of parameters to avoid the shell.
+  > I've checked in a change fixing that. --[[Joey]]
 - `refreshpofiles` and `refreshpot` create new files; this may need
   some checks, e.g. using `IkiWiki::prep_writefile()`
+- Can any sort of directives be put in po files that will
+  cause mischief (ie, include other files, run commands, crash gettext,
+  whatever).
+- Any security issues on running po4a on untrusted content?
 
 gettext/po4a rough corners
 --------------------------
-- 
cgit v1.2.3