response

[git.ikiwiki.info.git] / doc / plugins / po.mdwn

diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn
index 92fba349fda19b8d29ac6fdab85a7538581e4754..dca2f5d6668615c29b8a4b3fae046b23d0d6ca27 100644 (file)
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -5,6 +5,8 @@ This plugin adds support for multi-lingual wikis, translated with
 gettext, using [po4a](http://po4a.alioth.debian.org/).
 
 It depends on the Perl `Locale::Po4a::Po` library (`apt-get install po4a`).
 gettext, using [po4a](http://po4a.alioth.debian.org/).
 
 It depends on the Perl `Locale::Po4a::Po` library (`apt-get install po4a`).

+As detailed bellow in the security section, `po4a` is subject to
+denial-of-service attacks before version 0.35.

 
 [[!toc levels=2]]
 
 
 [[!toc levels=2]]
 


@@ -53,7 +55,7 @@ Supported languages
 languages, such as:
 
         po_slave_languages => { 'fr' => 'Français',
 languages, such as:
 
         po_slave_languages => { 'fr' => 'Français',

-                                'es' => 'Castellano',
+                                'es' => 'Español',

                                 'de' => 'Deutsch',
         }
 
                                 'de' => 'Deutsch',
         }
 


@@ -70,39 +72,40 @@ worry about excluding them explicitly from this [[ikiwiki/PageSpec]].
 Internal links
 --------------
 
 Internal links
 --------------
 

+### Links targets
+

 The `po_link_to` option in `ikiwiki.setup` is used to decide how
 internal links should be generated, depending on web server features
 and site-specific preferences.
 
 The `po_link_to` option in `ikiwiki.setup` is used to decide how
 internal links should be generated, depending on web server features
 and site-specific preferences.
 

-### Default linking behavior
+#### Default linking behavior

 
 If `po_link_to` is unset, or set to `default`, ikiwiki's default
 linking behavior is preserved: `\[[destpage]]` links to the master
 language's page.
 
 
 If `po_link_to` is unset, or set to `default`, ikiwiki's default
 linking behavior is preserved: `\[[destpage]]` links to the master
 language's page.
 

-### Link to current language
+#### Link to current language

 
 If `po_link_to` is set to `current`, `\[[destpage]]` links to the
 `destpage`'s version written in the current page's language, if
 available, *i.e.*:
 
 
 If `po_link_to` is set to `current`, `\[[destpage]]` links to the
 `destpage`'s version written in the current page's language, if
 available, *i.e.*:
 

-- `foo/destpage/index.LL.html` if `usedirs` is enabled
-- `foo/destpage.LL.html` if `usedirs` is disabled
+* `foo/destpage/index.LL.html` if `usedirs` is enabled
+* `foo/destpage.LL.html` if `usedirs` is disabled

 
 

-### Link to negotiated language
+#### Link to negotiated language

 
 If `po_link_to` is set to `negotiated`, `\[[page]]` links to the
 negotiated preferred language, *i.e.* `foo/page/`.
 
 (In)compatibility notes:
 
 
 If `po_link_to` is set to `negotiated`, `\[[page]]` links to the
 negotiated preferred language, *i.e.* `foo/page/`.
 
 (In)compatibility notes:
 

-- if `usedirs` is disabled, it does not make sense to set `po_link_to`
+* if `usedirs` is disabled, it does not make sense to set `po_link_to`

   to `negotiated`; this option combination is neither implemented
   nor allowed.
   to `negotiated`; this option combination is neither implemented
   nor allowed.

-- if the web server does not support Content Negotiation, setting
+* if the web server does not support Content Negotiation, setting

   `po_link_to` to `negotiated` will produce a unusable website.
 
   `po_link_to` to `negotiated` will produce a unusable website.
 

-

 Server support
 ==============
 
 Server support
 ==============
 


@@ -111,7 +114,8 @@ Apache
 
 Using Apache `mod_negotiation` makes it really easy to have Apache
 serve any page in the client's preferred language, if available.
 
 Using Apache `mod_negotiation` makes it really easy to have Apache
 serve any page in the client's preferred language, if available.

-This is the default Debian Apache configuration.
+
+Add 'Options MultiViews' to the wiki directory's configuration in Apache.

 
 When `usedirs` is enabled, one has to set `DirectoryIndex index` for
 the wiki context.
 
 When `usedirs` is enabled, one has to set `DirectoryIndex index` for
 the wiki context.


@@ -120,6 +124,8 @@ Setting `DefaultLanguage LL` (replace `LL` with your default MIME
 language code) for the wiki context can help to ensure
 `bla/page/index.en.html` is served as `Content-Language: LL`.
 
 language code) for the wiki context can help to ensure
 `bla/page/index.en.html` is served as `Content-Language: LL`.
 

+For details, see [Apache's documentation](http://httpd.apache.org/docs/2.2/content-negotiation.html).
+

 lighttpd
 --------
 
 lighttpd
 --------
 


@@ -147,43 +153,21 @@ display things only on translatable or translation pages.
 The `OTHERLANGUAGES` loop provides ways to display other languages'
 versions of the same page, and the translations' status.
 
 The `OTHERLANGUAGES` loop provides ways to display other languages'
 versions of the same page, and the translations' status.
 

-One typically adds the following code to `templates/page.tmpl`:
-
-       <TMPL_IF NAME="OTHERLANGUAGES">
-       <div id="otherlanguages">
-         <ul>
-         <TMPL_LOOP NAME="OTHERLANGUAGES">
-           <li>
-             <a href="<TMPL_VAR NAME="URL">"><TMPL_VAR NAME="LANGUAGE"></a>
-             <TMPL_UNLESS NAME="MASTER">
-               (<TMPL_VAR NAME="PERCENT">&nbsp;%)
-             </TMPL_UNLESS>
-           </li>
-         </TMPL_LOOP>
-         </ul>
-       </div>
-       </TMPL_IF>
-
-The following variables are available inside the loop (for every page in):
-
-- `URL` - url to the page
-- `CODE` - two-letters language code
-- `LANGUAGE` - language name (as defined in `po_slave_languages`)
-- `MASTER` - is true (1) if, and only if the page is a "master" page
-- `PERCENT` - for "slave" pages, is set to the translation completeness, in percents
+An example of its use can be found in the default
+`templates/page.tmpl`. In case you want to customize it, the following
+variables are available inside the loop (for every page in):
+
+* `URL` - url to the page
+* `CODE` - two-letters language code
+* `LANGUAGE` - language name (as defined in `po_slave_languages`)
+* `MASTER` - is true (1) if, and only if the page is a "master" page
+* `PERCENT` - for "slave" pages, is set to the translation completeness, in percents

 
 ### Display the current translation status
 
 The `PERCENTTRANSLATED` variable is set to the translation
 
 ### Display the current translation status
 
 The `PERCENTTRANSLATED` variable is set to the translation

-completeness, expressed in percent, on "slave" pages.
-
-One can use it this way:
-
-       <TMPL_IF NAME="ISTRANSLATION">
-       <div id="percenttranslated">
-         <TMPL_VAR NAME="PERCENTTRANSLATED">
-       </div>
-       </TMPL_IF>
+completeness, expressed in percent, on "slave" pages. It is used by
+the default `templates/page.tmpl`.

 
 Additional PageSpec tests
 -------------------------
 
 Additional PageSpec tests
 -------------------------


@@ -228,8 +212,8 @@ preferred `$EDITOR`, without needing to be online.
 Markup languages support
 ------------------------
 
 Markup languages support
 ------------------------
 

-Markdown is well supported. Some other markup languages supported by
-ikiwiki mostly work, but some pieces of syntax are not rendered
+[[Markdown|mdwn]] is well supported. Some other markup languages supported
+by ikiwiki mostly work, but some pieces of syntax are not rendered

 correctly on the slave pages:
 
 * [[reStructuredText|rst]]: anonymous hyperlinks and internal
 correctly on the slave pages:
 
 * [[reStructuredText|rst]]: anonymous hyperlinks and internal


@@ -240,277 +224,122 @@ correctly on the slave pages:
   could be used to support them, but they would need a security audit
 * other markup languages have not been tested.
 
   could be used to support them, but they would need a security audit
 * other markup languages have not been tested.
 

+Security
+========

 
 

-TODO
-====
-
-Security checks
----------------
-
-### Security history
-
-The only past security issues I could find in GNU gettext and po4a
-are:
-
-- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
-  *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
-  the autopoint and gettextize scripts in the GNU gettext package
-  1.14 and later versions, as used in Trustix Secure Linux 1.5
-  through 2.1 and other operating systems, allows local users to
-  overwrite files via a symlink attack on temporary files.
-- [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
-  `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allows local users to
-  overwrite arbitrary files via a symlink attack on the
-  gettextization.failed.po temporary file.
-
-**FIXME**: check whether this plugin would have been a possible attack
-vector to exploit these vulnerabilities.
-
-Depending on my mood, the lack of found security issues can either
-indicate that there are none, or reveal that no-one ever bothered to
-find (and publish) them.
-
-### PO file features
-
-Can any sort of directives be put in po files that will cause mischief
-(ie, include other files, run commands, crash gettext, whatever)?
-
-> No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
-> directive is supposed to do so. [[--intrigeri]]
-
-### Running po4a on untrusted content
-
-Are there any security issues on running po4a on untrusted content?
-
-To say the least, this issue is not well covered, at least publicly:
-
-- the documentation does not talk about it;
-- grep'ing the source code for `security` or `trust` gives no answer.
-
-On the other hand, a po4a developer answered my questions in
-a convincing manner, stating that processing untrusted content was not
-an initial goal, and analysing in detail the possible issues.
-
-#### Already checked
-
-- the core (`Po.pm`, `Transtractor.pm`) should be safe
-- po4a source code was fully checked for other potential symlink
-  attacks, after discovery of one such issue
-- the only external program run by the core is `diff`, in `Po.pm` (in
-  parts of its code we don't use)
-- `Locale::gettext`: only used to display translated error messages
-- Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to
-  think that `Encode` is not safe"
-- Nicolas François has "no reason to think that `Encode::Guess` is not
-  safe". The po plugin nevertheless avoids using it by defining the
-  input charset (`file_in_charset`) before asking `Transtractor` to
-  read any file. NB: this hack depends on po4a internals to stay
-  the same.
-
-##### Locale::Po4a modules
-
-The modules we want to use have to be checked, as not all are safe
-(e.g. the LaTeX module's behaviour is changed by commands included in
-the content); they may use regexps generated from the content.
-
-`Chooser.pm` only loads the plugin we tell it too: currently, this
-means the `Text` module only.
-
-`Text` module (I checked the CVS version):
-
-- it does not run any external program
-- only `do_paragraph()` builds regexp's that expand untrusted
-  variables; they seem safe to me, but someone more expert than me
-  will need to check. Joey?
-
-  > Freaky code, but seems ok due to use of `quotementa`.
-
-#### To be checked
-
-##### Text::WrapI18N
-
-`Text::WrapI18N` can cause DoS (see the
-[Debian bug #470250](http://bugs.debian.org/470250)), but it is
-optional and we do not need the features it provides.
-
-> I proposed a patch based on Joey's to po4a-devel, allowing to fully
-> disable this module's use. When it is merged upstream, we'll need to add
-> `use Locale::Po4a::Common qw(nowrapi18n)` to `po.pm`, before loading
-> any other `Locale::Po4a` module. A versioned dependency may be needed.
-> --[[intrigeri]]
+[[po/discussion]] contains a detailed security analysis of this plugin
+and its dependencies.

 
 

-##### Term::ReadKey
+When using po4a older than 0.35, it is recommended to uninstall
+`Text::WrapI18N` (Debian package `libtext-wrapi18n-perl`), in order to
+avoid a potential denial of service.

 
 

-`Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a
-works nicely without it. But the po4a Debian package recommends
-`libterm-readkey-perl`, so it will probably be installed on most
-systems using the po plugin.
-
-`Term::ReadKey` has too far reaching implications for us to
-be able to guarantee anything wrt. security.
-
-> The option that disables `Text::WrapI18N` also disables
-> `Term::ReadKey` as a consequence. [[--intrigeri]]
-
-### msgmerge
-
-`refreshpofiles()` runs this external program.
-
-A po4a developer answered he does "not expect any security issues from
-it". I did not manage to crash it with `zzuf`, nor was able to find
-any past security holes.
-
-### msgfmt
-
-`isvalidpo()` runs this external program.
-
-* I could not manage to make it behave badly using zzuf, it exits
-  cleanly when too many errors are detected.
-* I could not find any past security holes.
-
-### Fuzzing input
-
-Test conditions:
-
-- a 21M file containing 100 concatenated copies of all the files in my
-  `/usr/share/common-licenses/`; I had no existing PO file or
-  translated versions at hand, which renders these tests
-  quite incomplete.
-- po4a was the Debian 0.34-2 package; the same tests were also run
-  after replacing the `Text` module with the CVS one (the core was not
-  changed in CVS since 0.34-2 was released), without any significant
-  difference in the results.
-- Perl 5.10.0-16
-
-#### po4a-gettextize
-
-`po4a-gettextize` uses more or less the same po4a features as our
-`refreshpot` function.
-
-Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly
-errors out, complaining it was not able to detect the input charset;
-it leaves no incomplete file on disk.
-
-So I had to pretend the input was in UTF-8, as does the po plugin.
+TODO
+====

 
 

-Two ways of crashing were revealed by this command-line:
+Better links
+------------

 
 

-        zzuf -vc -s 0:100 -r 0.1:0.5 \
-          po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \
-            -m LICENSES >/dev/null
+Once the fix to
+[[bugs/pagetitle_function_does_not_respect_meta_titles]] from
+[[intrigeri]]'s `meta` branch is merged into ikiwiki upstream, the
+generated links' text will be optionally based on the page titles set
+with the [[meta|plugins/meta]] plugin, and will thus be translatable.
+It will also allow displaying the translation status in links to slave
+pages. Both were implemented, and reverted in commit
+ea753782b222bf4ba2fb4683b6363afdd9055b64, which should be reverted
+once [[intrigeri]]'s `meta` branch is merged.
+
+An integration branch, called `meta-po`, merges [[intrigeri]]'s `po`
+and `meta` branches, and thus has this additional features.
+
+Self links
+----------

 
 

-They are:
+If a page contains a WikiLink to itself, ikiwiki does not normally
+turn that into a hyperlink. However, if a translated page contains a
+WikiLink to itself, a hyperlink is inserted, at least with the default
+`po_link_to` the link points to the English version of the page. Is there a
+good reason for that to be done? --[[Joey]] 

 
 

-        Malformed UTF-8 character (UTF-16 surrogate 0xdcc9) in substitution iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1443.
-        Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443.
+Language display order
+----------------------

 
 

-and
+Jonas pointed out that one might want to control the order that links to
+other languages are listed, for various reasons. Currently, there is no
+order, as `po_slave_languages` is a hash. It would need to be converted
+to an array to support this. (If twere done, twere best done quickly.)
+--[[Joey]] 

 
 

-        Malformed UTF-8 character (UTF-16 surrogate 0xdcec) in substitution (s///) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443.
-        Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443.
+Duplicate %links ?
+------------------

 
 

-Perl seems to exit cleanly, and an incomplete PO file is written on
-disk. I not sure whether if this is a bug in Perl or in `Po.pm`.
+I notice code in the scan hook that seems to assume
+that %links will accumulate duplicate links for a page.
+That used to be so, but the bug was fixed. Does this mean
+that po might be replacing the only link on a page, in error? 
+--[[Joey]] 

 
 

-> It's fairly standard perl behavior when fed malformed utf-8. As long as it doesn't
-> crash ikiwiki, it's probably acceptable. Ikiwiki can do some similar things itself when fed malformed utf-8 (doesn't crash tho) --[[Joey]]
+Name of toplevel index page
+---------------------------

 
 

-#### po4a-translate
+Normally at the top index page of a wiki, you see the wiki name at
+the top. However, at the top *translated* index page, you see something
+like "index.da". --[[Joey]] 

 
 

-`po4a-translate` uses more or less the same po4a features as our
-`filter` function.
+Pagespecs
+---------

 
 

-Without specifying an input charset, same behaviour as
-`po4a-gettextize`, so let's specify UTF-8 as input charset as of now.
+I was suprised that, when using the map directive, a pagespec of "*"
+listed all the translated pages as well as regular pages. That can 
+make a big difference to an existing wiki when po is turned on,
+and seems generally not wanted.
+(OTOH, you do want to match translated pages by
+default when locking pages.) --[[Joey]]

 
 

-        zzuf -cv \
-          po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \
-            -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr
+Edit links on untranslated pages
+--------------------------------

 
 

-... prints tons of occurences of the following error, but a complete
-translated document is written (obviously with some weird chars
-inside):
+If a page is not translated yet, the "translated" version of it
+displays wikilinks to other, existing (but not yet translated?)
+pages as edit links, as if those pages do not exist. 

 
 

-        Use of uninitialized value in string ne at /usr/share/perl5/Locale/Po4a/TransTractor.pm line 854.
-        Use of uninitialized value in string ne at /usr/share/perl5/Locale/Po4a/TransTractor.pm line 840.
-        Use of uninitialized value in pattern match (m//) at /usr/share/perl5/Locale/Po4a/Po.pm line 1002.
+That's really confusing, especially as clicking such a link
+brings up an edit form to create a new, english page.

 
 

-While:
+This is with po_link_to=current or negotiated. With default, it doesn't
+happen.. 

 
 

-        zzuf -cv -s 0:10 -r 0.001:0.3 \
-          po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \
-            -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr
+Also, this may only happen if the page being linked to is coming from an
+underlay, and the underlays lack translation to a given language.
+--[[Joey]] 

 
 

-... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step,
-against some kind of infinite loop, deadlock, or any similar beast.
+recentchanges links to po files
+-------------------------------

 
 

-The root of this bug lies in `Text::WrapI18N`, see above for
-possible solutions.
+When a po file is changed, the recentchanges page shows a link such as
+"sandbox.es". But, clicking on it goes to the English (or negotiated
+language) version of the page. It would be better in this one case if
+the link went direct to the translated version of the page. --[[Joey]] 

 
 

-gettext/po4a rough corners
+Double commits of po files

 --------------------------
 
 --------------------------
 

-- fix infinite loop when synchronizing two ikiwiki (when checkouts
-  live in different directories): say bla.fr.po has been updated in
-  repo2; pulling repo2 from repo1 seems to trigger a PO update, that
-  changes bla.fr.po in repo1; then pushing repo1 to repo2 triggers
-  a PO update, that changes bla.fr.po in repo2; etc.; quickly fixed in
-  `629968fc89bced6727981c0a1138072631751fee`, by disabling references
-  in Pot files. Using `Locale::Po4a::write_if_needed` might be
-  a cleaner solution. (warning: this function runs the external
-  `diff` program, have to check security)
-- new translations created in the web interface must get proper
-  charset/encoding gettext metadata, else the next automatic PO update
-  removes any non-ascii chars; possible solution: put such metadata
-  into the Pot file, and let it propagate; should be fixed in
-  `773de05a7a1ee68d2bed173367cf5e716884945a`, time will tell.
+When adding a new english page, the po files are created, committed,
+and then committed again. The second commit makes this change:

 
 

-Better links
-------------
-
-### Page title in links
-
-Using the fix to
-[[bugs/pagetitle_function_does_not_respect_meta_titles]] from
-[[intrigeri]]'s `meta` branch, the generated links' text is based on
-the page titles set with the [[meta|plugins/meta]] plugin. This has to
-be merged into ikiwiki upstream, though.
+       -"Content-Type: text/plain; charset=utf-8\n"
+       -"Content-Transfer-Encoding: ENCODING"
+       +"Content-Type: text/plain; charset=UTF-8\n"
+       +"Content-Transfer-Encoding: ENCODING\n"

 
 

-Robustness tests
-----------------
+Same thing happens when a change to an existing page triggers a po file
+update. --[[Joey]] 

 
 

-### Enabling/disabling the plugin
+Ugly messages with empty files
+------------------------------

 
 

-- enabling the plugin with `po_translatable_pages` set to blacklist: **OK**
-- enabling the plugin with `po_translatable_pages` set to whitelist: **OK**
-- enabling the plugin without `po_translatable_pages` set: **OK**
-- disabling the plugin: **OK**
-
-### Changing the plugin config
-
-- adding existing pages to `po_translatable_pages`: **OK**
-- removing existing pages from `po_translatable_pages`: **OK**
-- adding a language to `po_slave_languages`: **OK**
-- removing a language from `po_slave_languages`: **OK**
-- changing `po_master_language`: **OK**
-- replacing `po_master_language` with a language previously part of
-  `po_slave_languages`: needs two rebuilds, but **OK** (this is quite
-  a perverse test actually)
-
-### Creating/deleting/renaming pages
-
-All cases of master/slave page creation/deletion/rename, both via RCS
-and via CGI, have been tested.
-
-### Misc
-
-- general test with `usedirs` disabled: **OK**
-- general test with `indexpages` enabled: **not OK**
-- general test with `po_link_to=default` with `userdirs` enabled: **OK**
-- general test with `po_link_to=default` with `userdirs` disabled: **OK**
-
-Misc. bugs
-----------
+If there are empty .mdwn files, the po plugin displays some ugly messages.

 
 Documentation
 -------------
 
 Documentation
 -------------