It depends on the Perl `Locale::Po4a::Po` library (`apt-get install po4a`).
+[[!toc]]
+
Introduction
============
Committing changes to a "master" page:
-1. updates the POT file and the PO files for the supported languages;
- the updated PO files are then put under version control
-2. triggers a refresh of the corresponding HTML slave pages
+1. updates the POT file and the PO files for the "slave" languages;
+ the updated PO files are then put under version control;
+2. triggers a refresh of the corresponding HTML slave pages.
Also, when the plugin has just been enabled, or when a page has just
been declared as being translatable, the needed POT and PO files are
Discussion pages
----------------
-Discussion should happen in the language in which the pages are written for
-real, *i.e.* the "master" one. If discussion pages are enabled, "slave" pages
-therefore link to the "master" page's discussion page.
+Discussion should happen in the language in which the pages are
+written for real, *i.e.* the "master" one. If discussion pages are
+enabled, "slave" pages therefore link to the "master" page's
+discussion page.
Translating
-----------
-One can edit the PO files using ikiwiki's CGI (a message-by-message interface
-could also be implemented at some point).
+One can edit the PO files using ikiwiki's CGI (a message-by-message
+interface could also be implemented at some point).
If [[tips/untrusted_git_push]] is setup, one can edit the PO files in one's
preferred `$EDITOR`, without needing to be online.
TODO
====
-OTHERLANGUAGES dependencies
----------------------------
-
-Pages using `OTHERLANGUAGES` depend on any "master" and "slave" pages
-whose status is being displayed. It is supposed to trigger dependency
-loops, but no practical bugs were noticed yet.
-
-Should pages using the `OTHERLANGUAGES` template loop be declared as
-linking to the same page in other versions? To be rigorous, they
-should, but this may clutter the backlinks.
-
Security checks
---------------
-- `refreshpofiles` uses `system()`, whose args have to be checked more
- thoroughly to prevent any security issue (command injection, etc.).
-- `refreshpofiles` and `refreshpot` create new files; this may need
- some checks, e.g. using `IkiWiki::prep_writefile()`
+### Security history
+
+The only past security issues I could find in GNU gettext and po4a
+are:
+
+- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
+ *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
+ the autopoint and gettextize scripts in the GNU gettext package
+ 1.14 and later versions, as used in Trustix Secure Linux 1.5
+ through 2.1 and other operating systems, allows local users to
+ overwrite files via a symlink attack on temporary files.
+- [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
+ `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allows local users to
+ overwrite arbitrary files via a symlink attack on the
+ gettextization.failed.po temporary file.
+
+**FIXME**: check whether this plugin would have been a possible attack
+vector to exploit these vulnerabilities.
+
+Depending on my mood, the lack of found security issues can either
+indicate that there are none, or reveal that no-one ever bothered to
+find (and publish) them.
+
+### PO file features
+
+Can any sort of directives be put in po files that will cause mischief
+(ie, include other files, run commands, crash gettext, whatever)?
+
+> No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
+> directive is supposed to do so.
+
+### Running po4a on untrusted content
+
+Are there any security issues on running po4a on untrusted content?
+
+> To say the least, this issue is not well covered, at least publicly:
+>
+> - the documentation does not talk about it;
+> - grep'ing the source code for `security` or `trust` gives no answer.
+>
+> I'll ask their opinion to the po4a maintainers.
+>
+> I'm not in a position to audit the code, but I had a look anyway:
+>
+> - no use of `system()`, `exec()` or backticks in `Locale::Po4a`; are
+> there any other way to run external programs in Perl?
+> - a symlink attack vulnerability was already discovered, so I "hope"
+> the code has been checked to find some more already
+> - the po4a parts we are using themselves use the following Perl
+> modules: `DynaLoader`, `Encode`, `Encode::Guess`,
+> `Text::WrapI18N`, `Locale::gettext` (`bindtextdomain`,
+> `textdomain`, `gettext`, `dgettext`)
+>
+> --[[intrigeri]]
+
+### Fuzzing input
+
+I was not able to find any public information about gettext or po4a
+having been tested with a fuzzing program, such as `zzuf` or `fusil`.
+Moreover, some gettext parsers seem to be quite
+[easy to crash](http://fusil.hachoir.org/trac/browser/trunk/fuzzers/fusil-gettext),
+so it might be useful to bang gettext/po4a's heads against such
+a program in order to easily detect some of the most obvious DoS.
+[[--intrigeri]]
gettext/po4a rough corners
--------------------------
live in different directories): say bla.fr.po has been updated in
repo2; pulling repo2 from repo1 seems to trigger a PO update, that
changes bla.fr.po in repo1; then pushing repo1 to repo2 triggers
- a PO update, that changes bla.fr.po in repo2; etc.; fixed in
- `629968fc89bced6727981c0a1138072631751fee`?
-- new translations created in the web interface must get proper charset/encoding
- gettext metadata, else the next automatic PO update removes any non-ascii
- chars; possible solution: put such metadata into the Pot file, and let it
- propagate; should be fixed in `773de05a7a1ee68d2bed173367cf5e716884945a`, time
- will tell.
+ a PO update, that changes bla.fr.po in repo2; etc.; quickly fixed in
+ `629968fc89bced6727981c0a1138072631751fee`, by disabling references
+ in Pot files. Using `Locale::Po4a::write_if_needed` might be
+ a cleaner solution.
+- new translations created in the web interface must get proper
+ charset/encoding gettext metadata, else the next automatic PO update
+ removes any non-ascii chars; possible solution: put such metadata
+ into the Pot file, and let it propagate; should be fixed in
+ `773de05a7a1ee68d2bed173367cf5e716884945a`, time will tell.
Misc. improvements
------------------
-### preview
-
-preview does not work for PO files.
-
-### automatic POT/PO update
-
-Use the `change` hook instead of `needsbuild`?
-
### page titles
-Use nice page titles from meta plugin in links, as inline already does. This is
-actually a duplicate for
-[[bugs/pagetitle_function_does_not_respect_meta_titles]], which might be fixed
-by something like [[todo/using_meta_titles_for_parentlinks]].
-
-### websetup
-
-Which configuration settings are safe enough for websetup?
-
-> I see no problems with `po_master_language` and `po_slave_languages`
-> (assuming websetup handles the hashes correctly). Would not hurt to check
-> that the values of these are legal language codes, in `checkconfig`.
-> `po_translatable_pages` seems entirely safe. `po_link_to` w/o usedirs
-> causes ikiwiki to error out. If it were changed to fall back to a safe
-> setting in this case rather than error, it would be safe.
-> --[[Joey]]
-
-### parentlinks
-
-When the wiki home page is translatable, the parentlinks plugin sets
-`./index.html` as its translations' single parent link. Ideally, the home page's
-translations should get no parent link at all, just like the version written in
-the master language.
-
-### backlinks
-
-If a given translatable `sourcepage.mdwn` links to \[[destpage]],
-`sourcepage.LL.po` also link to \[[destpage]], and the latter has the master
-page *and* all its translations listed in the backlinks.
+Use nice page titles from meta plugin in links, as inline already
+does. This is actually a duplicate for
+[[bugs/pagetitle_function_does_not_respect_meta_titles]], which might
+be fixed by something like [[todo/using_meta_titles_for_parentlinks]].
Translation quality assurance
-----------------------------