summaryrefslogtreecommitdiff
path: root/doc/plugins/po/security.mdwn
blob: d1bbf6c056119c76700ab9a99e99e37c281ad5bd (plain)

[[!toc levels=2]]


Probable holes

(The list of things to fix.)

po4a-gettextize

  • po4a CVS 2009-01-16
  • Perl 5.10.0

po4a-gettextize uses more or less the same po4a features as our refreshpot function.

Without specifying an input charset, zzuf'ed po4a-gettextize quickly errors out, complaining it was not able to detect the input charset; it leaves no incomplete file on disk. I therefore had to pretend the input was in UTF-8, as does the po plugin.

    zzuf -c -s 13 -r 0.1 \
        po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \
         -m GPL-3 -p GPL-3.pot

Crashes with:

    Malformed UTF-8 character (UTF-16 surrogate 0xdfa4) in substitution
    iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1449.
    Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm
    line 1449.

An incomplete pot file is left on disk. Unfortunately Po.pm tells us nothing about the place where the crash happens.

It's fairly standard perl behavior when fed malformed utf-8. As long as it doesn't crash ikiwiki, it's probably acceptable. Ikiwiki can do some similar things itself when fed malformed utf-8 (doesn't crash tho) --[[Joey]]


Potential gotchas

(Things not to do.)

Blindly activating more po4a format modules

The format modules we want to use have to be checked, as not all are safe (e.g. the LaTeX module's behaviour is changed by commands included in the content); they may use regexps generated from the content.


Hopefully non-holes

(AKA, the assumptions that will be the root of most security holes...)

PO file features

No documented directive that can be put in po files is supposed to cause mischief (ie, include other files, run commands, crash gettext, whatever).

gettext

Security history

The only past security issue I could find in GNU gettext is CVE-2004-0966, i.e. Debian bug #278283: the autopoint and gettextize scripts in the GNU gettext package (1.14 and later versions) may allow local users to overwrite files via a symlink attack on temporary files.

This plugin would not have allowed to exploit this bug, as it does not use, either directly or indirectly, the faulty scripts.

Note: the lack of found security issues can either indicate that there are none, or reveal that no-one ever bothered to find or publish them.

msgmerge

refreshpofiles() runs this external program.

  • I was not able to crash it with zzuf.
  • I could not find any past security hole.

msgfmt

isvalidpo() runs this external program.

  • I was not able to make it behave badly using zzuf: it exits cleanly when too many errors are detected.
  • I could not find any past security hole.

po4a

Security history

The only past security issue I could find in po4a is CVE-2007-4462: lib/Locale/Po4a/Po.pm in po4a before 0.32 allowed local users to overwrite arbitrary files via a symlink attack on the gettextization.failed.po temporary file.

This plugin would not have allowed to exploit this bug, as it does not use, either directly or indirectly, the faulty gettextize function.

Note: the lack of found security issues can either indicate that there are none, or reveal that no-one ever bothered to find or publish them.

General feeling

Are there any security issues on running po4a on untrusted content?

To say the least, this issue is not well covered, at least publicly:

  • the documentation does not talk about it;
  • grep'ing the source code for security or trust gives no answer.

On the other hand, a po4a developer answered my questions in a convincing manner, stating that processing untrusted content was not an initial goal, and analysing in detail the possible issues. The following analysis was done with his help.

Details

  • the core (Po.pm, Transtractor.pm) should be safe
  • po4a source code was fully checked for other potential symlink attacks, after discovery of one such issue
  • the only external program run by the core is diff, in Po.pm (in parts of its code we don't use)
  • Locale::gettext is only used to display translated error messages
  • Nicolas François "hopes" DynaLoader is safe, and has "no reason to think that Encode is not safe"
  • Nicolas François has "no reason to think that Encode::Guess is not safe". The po plugin nevertheless avoids using it by defining the input charset (file_in_charset) before asking TransTractor to read any file. NB: this hack depends on po4a internals.

Locale::Po4a::Text

  • does not run any external program
  • only do_paragraph() builds regexp's that expand untrusted variables; according to [[Joey]], this is "Freaky code, but seems ok due to use of quotementa".

Text::WrapI18N

Text::WrapI18N can cause DoS (Debian bug #470250). It is optional, and we do not need the features it provides.

If a recent enough po4a (>=0.35) is installed, this module's use is fully disabled. Else, the wiki administrator is warned about this at runtime.

Term::ReadKey

Term::ReadKey is not a hard dependency in our case, i.e. po4a works nicely without it. But the po4a Debian package recommends libterm-readkey-perl, so it will probably be installed on most systems using the po plugin.

Term::ReadKey has too far reaching implications for us to be able to guarantee anything wrt. security.

If a recent enough po4a (>=2009-01-15 CVS, which will probably be released as 0.35) is installed, this module's use is fully disabled.

Fuzzing input

po4a-translate
  • po4a CVS 2009-01-16
  • Perl 5.10.0

po4a-translate uses more or less the same po4a features as our filter function.

Without specifying an input charset, same behaviour as po4a-gettextize, so let's specify UTF-8 as input charset as of now.

LICENSES is a 21M file containing 100 concatenated copies of all the files in /usr/share/common-licenses/; I had no existing PO file or translated versions at hand, which renders these tests quite incomplete.

    zzuf -cv -s 0:10 -r 0.001:0.3 \
      po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \
        -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr

... seems to lose the fight, at the readpo(LICENSES.fr.po) step, against some kind of infinite loop, deadlock, or any similar beast.

The root of this bug lies in Text::WrapI18N, see the corresponding section.


Fixed holes