From e397888a77b10d96437754779062852f56d96765 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Mon, 10 Nov 2008 23:52:50 +0100 Subject: po/doc: more security research results Apart of the fuzzying part, I'm done with what I can do without help. The "Running po4a on untrusted content" section needs at least a quick glance from an experimented Perl programmer. Signed-off-by: intrigeri --- doc/plugins/po.mdwn | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn index e88cc3106..09df26394 100644 --- a/doc/plugins/po.mdwn +++ b/doc/plugins/po.mdwn @@ -281,14 +281,19 @@ an initial goal, and analysing in detail the possible issues. ##### Locale::Po4a modules -- the modules we want to use have to be checked, as not all are safe - (e.g. the LaTeX module's behaviour is changed by commands included - in the content); they may use regexps generated from the content; we - currently only use the `Text` module -- the `Text` module does not run any external program -- check that no module is loaded by `Chooser.pm`, when we tell it to - load the `Text` one -- `nsgmls` is used by `Sgml.pm` +The modules we want to use have to be checked, as not all are safe +(e.g. the LaTeX module's behaviour is changed by commands included in +the content); they may use regexps generated from the content. + +`Chooser.pm` only loads the plugin we tell it too: currently, this +means the `Text` module only. + +`Text` module (I checked the CVS version): + +- it does not run any external program +- only `do_paragraph()` builds regexp's that expand untrusted + variables; they seem safe to me, but someone more expert than me + will need to check. Joey? ##### Text::WrapI18N @@ -302,6 +307,13 @@ table manipulation tricks could work; overriding `Locale::Po4a::Common::wrapi18n` may be easier. I'm no expert at all in this field. Joey? [[--intrigeri]] +> Update: Nicolas François suggests we add an option to po4a to +> disable it. It would do the trick, but only for people running +> a brand new po4a (probably too late for Lenny). Anyway, this option +> would have to take effect in a `BEGIN` / `eval` that I'm not +> familiar with. I can learn and do it, in case no Perl wizard +> volunteers to provide the po4a patch. [[--intrigeri]] + ##### Term::ReadKey `Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a @@ -324,6 +336,10 @@ use in our case, I suggest we define `ENV{COLUMNS}` before loading `Locale::Po4a::Common`, just to be on the safe side. Joey? [[--intrigeri]] +> Update: adding an option to disable `Text::WrapI18N`, as Nicolas +> François suggested, would as a bonus disable `Term::ReadKey` +> as well. [[--intrigeri]] + ### msgmerge `refreshpofiles()` runs this external program. A po4a developer -- cgit v1.2.3