7 _(The list of things to fix.)_
14 `po4a-gettextize` uses more or less the same po4a features as our
15 `refreshpot` function.
17 Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly
18 errors out, complaining it was not able to detect the input charset;
19 it leaves no incomplete file on disk. I therefore had to pretend the
20 input was in UTF-8, as does the po plugin.
22 zzuf -c -s 13 -r 0.1 \
23 po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \
28 Malformed UTF-8 character (UTF-16 surrogate 0xdfa4) in substitution
29 iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1449.
30 Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm
33 An incomplete pot file is left on disk. Unfortunately Po.pm tells us
34 nothing about the place where the crash happens.
36 > It's fairly standard perl behavior when fed malformed utf-8. As long
37 > as it doesn't crash ikiwiki, it's probably acceptable. Ikiwiki can
38 > do some similar things itself when fed malformed utf-8 (doesn't
39 > crash tho) --[[Joey]]
48 ## Blindly activating more po4a format modules
50 The format modules we want to use have to be checked, as not all are
51 safe (e.g. the LaTeX module's behaviour is changed by commands
52 included in the content); they may use regexps generated from
59 _(AKA, the assumptions that will be the root of most security holes...)_
63 No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
64 directive that can be put in po files is supposed to cause mischief
65 (ie, include other files, run commands, crash gettext, whatever).
71 The only past security issue I could find in GNU gettext is
72 [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
73 *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
74 the autopoint and gettextize scripts in the GNU gettext package (1.14
75 and later versions) may allow local users to overwrite files via
76 a symlink attack on temporary files.
78 This plugin would not have allowed to exploit this bug, as it does not
79 use, either directly or indirectly, the faulty scripts.
81 Note: the lack of found security issues can either indicate that there
82 are none, or reveal that no-one ever bothered to find or publish them.
86 `refreshpofiles()` runs this external program.
88 * I was not able to crash it with `zzuf`.
89 * I could not find any past security hole.
93 `isvalidpo()` runs this external program.
95 * I was not able to make it behave badly using zzuf: it exits cleanly
96 when too many errors are detected.
97 * I could not find any past security hole.
103 The only past security issue I could find in po4a is
104 [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
105 `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allowed local users to
106 overwrite arbitrary files via a symlink attack on the
107 gettextization.failed.po temporary file.
109 This plugin would not have allowed to exploit this bug, as it does not
110 use, either directly or indirectly, the faulty `gettextize` function.
112 Note: the lack of found security issues can either indicate that there
113 are none, or reveal that no-one ever bothered to find or publish them.
117 Are there any security issues on running po4a on untrusted content?
119 To say the least, this issue is not well covered, at least publicly:
121 * the documentation does not talk about it;
122 * grep'ing the source code for `security` or `trust` gives no answer.
124 On the other hand, a po4a developer answered my questions in
125 a convincing manner, stating that processing untrusted content was not
126 an initial goal, and analysing in detail the possible issues.
127 The following analysis was done with his help.
131 * the core (`Po.pm`, `Transtractor.pm`) should be safe
132 * po4a source code was fully checked for other potential symlink
133 attacks, after discovery of one such issue
134 * the only external program run by the core is `diff`, in `Po.pm` (in
135 parts of its code we don't use)
136 * `Locale::gettext` is only used to display translated error messages
137 * Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to
138 think that `Encode` is not safe"
139 * Nicolas François has "no reason to think that `Encode::Guess` is not
140 safe". The po plugin nevertheless avoids using it by defining the
141 input charset (`file_in_charset`) before asking `TransTractor` to
142 read any file. NB: this hack depends on po4a internals.
144 #### Locale::Po4a::Text
146 * does not run any external program
147 * only `do_paragraph()` builds regexp's that expand untrusted
148 variables; according to [[Joey]], this is "Freaky code, but seems ok
149 due to use of `quotementa`".
153 `Text::WrapI18N` can cause DoS
154 ([Debian bug #470250](http://bugs.debian.org/470250)).
155 It is optional, and we do not need the features it provides.
157 If a recent enough po4a (>=2009-01-15 CVS, which will probably be
158 released as 0.35) is installed, this module's use is fully disabled.
159 Else, the wiki administrator is warned about this at runtime.
163 `Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a
164 works nicely without it. But the po4a Debian package recommends
165 `libterm-readkey-perl`, so it will probably be installed on most
166 systems using the po plugin.
168 `Term::ReadKey` has too far reaching implications for us to
169 be able to guarantee anything wrt. security.
171 If a recent enough po4a (>=2009-01-15 CVS, which will probably be
172 released as 0.35) is installed, this module's use is fully disabled.
178 * po4a CVS 2009-01-16
181 `po4a-translate` uses more or less the same po4a features as our
184 Without specifying an input charset, same behaviour as
185 `po4a-gettextize`, so let's specify UTF-8 as input charset as of now.
187 `LICENSES` is a 21M file containing 100 concatenated copies of all the
188 files in `/usr/share/common-licenses/`; I had no existing PO file or
189 translated versions at hand, which renders these tests
192 zzuf -cv -s 0:10 -r 0.001:0.3 \
193 po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \
194 -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr
196 ... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step,
197 against some kind of infinite loop, deadlock, or any similar beast.
199 The root of this bug lies in `Text::WrapI18N`, see the corresponding