X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/c8e3136d0091bd024e6dc1f3c21a10a92f2017d4..4e7b7a178890eb8d28edcd2e6ab2763c9a3988e5:/doc/plugins/po.mdwn?ds=sidebyside diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn index 9298b3d37..b701d3662 100644 --- a/doc/plugins/po.mdwn +++ b/doc/plugins/po.mdwn @@ -5,6 +5,8 @@ This plugin adds support for multi-lingual wikis, translated with gettext, using [po4a](http://po4a.alioth.debian.org/). It depends on the Perl `Locale::Po4a::Po` library (`apt-get install po4a`). +As detailed bellow in the security section, `po4a` is subject to +denial-of-service attacks before version 0.35. [[!toc levels=2]] @@ -31,6 +33,12 @@ Example: `bla/page.fr.po` is the PO "message catalog" used to translate `bla/page.mdwn` into French; if `usedirs` is enabled, it is rendered as `bla/page/index.fr.html`, else as `bla/page.fr.html` +(In)Compatibility +================= + +This plugin does not support the `indexpages` mode. If you don't know +what it is, you probably don't care. + Configuration ============= @@ -41,15 +49,15 @@ Supported languages `po_master_language` is used to set the "master" language in `ikiwiki.setup`, such as: - po_master_language => { 'code' => 'en', 'name' => 'English' } + po_master_language => 'en|English' `po_slave_languages` is used to set the list of supported "slave" languages, such as: - po_slave_languages => { 'fr' => 'Français', - 'es' => 'Castellano', - 'de' => 'Deutsch', - } + po_slave_languages => [ 'fr|Français', + 'es|Español', + 'de|Deutsch', + ] Decide which pages are translatable ----------------------------------- @@ -64,39 +72,40 @@ worry about excluding them explicitly from this [[ikiwiki/PageSpec]]. Internal links -------------- +### Links targets + The `po_link_to` option in `ikiwiki.setup` is used to decide how internal links should be generated, depending on web server features and site-specific preferences. -### Default linking behavior +#### Default linking behavior If `po_link_to` is unset, or set to `default`, ikiwiki's default linking behavior is preserved: `\[[destpage]]` links to the master language's page. -### Link to current language +#### Link to current language If `po_link_to` is set to `current`, `\[[destpage]]` links to the `destpage`'s version written in the current page's language, if available, *i.e.*: -- `foo/destpage/index.LL.html` if `usedirs` is enabled -- `foo/destpage.LL.html` if `usedirs` is disabled +* `foo/destpage/index.LL.html` if `usedirs` is enabled +* `foo/destpage.LL.html` if `usedirs` is disabled -### Link to negotiated language +#### Link to negotiated language If `po_link_to` is set to `negotiated`, `\[[page]]` links to the negotiated preferred language, *i.e.* `foo/page/`. (In)compatibility notes: -- if `usedirs` is disabled, it does not make sense to set `po_link_to` +* if `usedirs` is disabled, it does not make sense to set `po_link_to` to `negotiated`; this option combination is neither implemented nor allowed. -- if the web server does not support Content Negotiation, setting +* if the web server does not support Content Negotiation, setting `po_link_to` to `negotiated` will produce a unusable website. - Server support ============== @@ -105,23 +114,28 @@ Apache Using Apache `mod_negotiation` makes it really easy to have Apache serve any page in the client's preferred language, if available. -This is the default Debian Apache configuration. -When `usedirs` is enabled, one has to set `DirectoryIndex index` for -the wiki context. +Add 'Options MultiViews' to the wiki directory's configuration in Apache. -Setting `DefaultLanguage LL` (replace `LL` with your default MIME -language code) for the wiki context can help to ensure -`bla/page/index.en.html` is served as `Content-Language: LL`. +When `usedirs` is enabled, you should also set `DirectoryIndex index`. + +These settings are also recommended, in order to avoid serving up rss files +as index pages: + + AddType application/rss+xml;qs=0.8 .rss + AddType application/atom+xml;qs=0.8 .atom + +For details, see [Apache's documentation](http://httpd.apache.org/docs/2.2/content-negotiation.html). lighttpd -------- -lighttpd unfortunately does not support content negotiation. +Recent versions of lighttpd should be able to use +`$HTTP["language"]` to configure the translated pages to be served. -**FIXME**: does `mod_magnet` provide the functionality needed to - emulate this? +See [Lighttpd Issue](http://redmine.lighttpd.net/issues/show/1119) +TODO: Example Usage ===== @@ -136,48 +150,29 @@ the wiki homepage. The `ISTRANSLATION` and `ISTRANSLATABLE` variables can be used to display things only on translatable or translation pages. +The `LANG_CODE` and `LANG_NAME` variables can respectively be used to +display the current page's language code and pretty name. + ### Display page's versions in other languages The `OTHERLANGUAGES` loop provides ways to display other languages' versions of the same page, and the translations' status. -One typically adds the following code to `templates/page.tmpl`: - - -
- -
-
- -The following variables are available inside the loop (for every page in): - -- `URL` - url to the page -- `CODE` - two-letters language code -- `LANGUAGE` - language name (as defined in `po_slave_languages`) -- `MASTER` - is true (1) if, and only if the page is a "master" page -- `PERCENT` - for "slave" pages, is set to the translation completeness, in percents +An example of its use can be found in the default +`templates/page.tmpl`. In case you want to customize it, the following +variables are available inside the loop (for every page in): + +* `URL` - url to the page +* `CODE` - two-letters language code +* `LANGUAGE` - language name (as defined in `po_slave_languages`) +* `MASTER` - is true (1) if, and only if the page is a "master" page +* `PERCENT` - for "slave" pages, is set to the translation completeness, in percents ### Display the current translation status The `PERCENTTRANSLATED` variable is set to the translation -completeness, expressed in percent, on "slave" pages. - -One can use it this way: - - -
- -
-
+completeness, expressed in percent, on "slave" pages. It is used by +the default `templates/page.tmpl`. Additional PageSpec tests ------------------------- @@ -207,7 +202,7 @@ enabled, "slave" pages therefore link to the "master" page's discussion page. Likewise, "slave" pages are not supposed to have sub-pages; -[[WikiLinks|wikilink]] that appear on a "slave" page therefore link to +[[WikiLinks|ikiwiki/wikilink]] that appear on a "slave" page therefore link to the master page's sub-pages. Translating @@ -222,349 +217,36 @@ preferred `$EDITOR`, without needing to be online. Markup languages support ------------------------ -Markdown is well supported. Some other markup languages supported by -ikiwiki mostly work, but some pieces of syntax are not rendered -correctly on the slave pages: +[[Markdown|mdwn]] and [[html]] are well supported. Some other markup +languages supported by ikiwiki mostly work, but some pieces of syntax +are not rendered correctly on the slave pages: * [[reStructuredText|rst]]: anonymous hyperlinks and internal cross-references * [[wikitext]]: conversion of newlines to paragraphs * [[creole]]: verbatim text is wrapped, tables are broken -* [[html]] and LaTeX: not supported yet; the dedicated po4a modules - could be used to support them, but they would need a security audit +* LaTeX: not supported yet; the dedicated po4a module + could be used to support it, but it would need a security audit * other markup languages have not been tested. +Security +======== -TODO -==== - -Security checks ---------------- - -### Security history - -The only past security issues I could find in GNU gettext and po4a -are: - -- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966), - *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283): - the autopoint and gettextize scripts in the GNU gettext package - 1.14 and later versions, as used in Trustix Secure Linux 1.5 - through 2.1 and other operating systems, allows local users to - overwrite files via a symlink attack on temporary files. -- [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462): - `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allows local users to - overwrite arbitrary files via a symlink attack on the - gettextization.failed.po temporary file. - -**FIXME**: check whether this plugin would have been a possible attack -vector to exploit these vulnerabilities. - -Depending on my mood, the lack of found security issues can either -indicate that there are none, or reveal that no-one ever bothered to -find (and publish) them. - -### PO file features - -Can any sort of directives be put in po files that will cause mischief -(ie, include other files, run commands, crash gettext, whatever)? - -> No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files) -> directive is supposed to do so. [[--intrigeri]] - -### Running po4a on untrusted content - -Are there any security issues on running po4a on untrusted content? - -To say the least, this issue is not well covered, at least publicly: - -- the documentation does not talk about it; -- grep'ing the source code for `security` or `trust` gives no answer. - -On the other hand, a po4a developer answered my questions in -a convincing manner, stating that processing untrusted content was not -an initial goal, and analysing in detail the possible issues. - -#### Already checked - -- the core (`Po.pm`, `Transtractor.pm`) should be safe -- po4a source code was fully checked for other potential symlink - attacks, after discovery of one such issue -- the only external program run by the core is `diff`, in `Po.pm` (in - parts of its code we don't use) -- `Locale::gettext`: only used to display translated error messages -- Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to - think that `Encode` is not safe" -- Nicolas François has "no reason to think that `Encode::Guess` is not - safe". The po plugin nevertheless avoids using it by defining the - input charset (`file_in_charset`) before asking `Transtractor` to - read any file. NB: this hack depends on po4a internals to stay - the same. - -#### To be checked - -##### Locale::Po4a modules - -The modules we want to use have to be checked, as not all are safe -(e.g. the LaTeX module's behaviour is changed by commands included in -the content); they may use regexps generated from the content. - -`Chooser.pm` only loads the plugin we tell it too: currently, this -means the `Text` module only. - -`Text` module (I checked the CVS version): - -- it does not run any external program -- only `do_paragraph()` builds regexp's that expand untrusted - variables; they seem safe to me, but someone more expert than me - will need to check. Joey? - - > Freaky code, but seems ok due to use of `quotementa`. - -##### Text::WrapI18N - -`Text::WrapI18N` can cause DoS (see the -[Debian bug #470250](http://bugs.debian.org/470250)), but it is -optional and we do not need the features it provides. - -It is loaded if available by `Locale::Po4a::Common`; looking at the -code, I'm not sure we can prevent this at all, but maybe some symbol -table manipulation tricks could work; overriding -`Locale::Po4a::Common::wrapi18n` may be easier. I'm no expert at all -in this field. Joey? [[--intrigeri]] - -> Update: Nicolas François suggests we add an option to po4a to -> disable it. It would do the trick, but only for people running -> a brand new po4a (probably too late for Lenny). Anyway, this option -> would have to take effect in a `BEGIN` / `eval` that I'm not -> familiar with. I can learn and do it, in case no Perl wizard -> volunteers to provide the po4a patch. [[--intrigeri]] - ->> That doesn't really need to be in a BEGIN. This patch moves it to ->> `import`, and makes this disable wrap18n: ->> `use Locale::Po4a::Common q{nowrapi18n}` --[[Joey]] - -
---- /usr/share/perl5/Locale/Po4a/Common.pm	2008-07-21 14:54:52.000000000 -0400
-+++ Common.pm	2008-11-11 18:27:34.000000000 -0500
-@@ -30,8 +30,16 @@
- use strict;
- use warnings;
- 
--BEGIN {
--    if (eval { require Text::WrapI18N }) {
-+sub import {
-+    my $class=shift;
-+    my $wrapi18n=1;
-+    if ($_[0] eq 'nowrapi18n') {
-+    	shift;
-+	$wrapi18n=0;
-+    }
-+    $class->export_to_level(1, $class, @_);
-+
-+    if ($wrapi18n && eval { require Text::WrapI18N }) {
-     
-         # Don't bother determining the wrap column if we cannot wrap.
-         my $col=$ENV{COLUMNS};
-
- -##### Term::ReadKey - -`Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a -works nicely without it. But the po4a Debian package recommends -`libterm-readkey-perl`, so it will probably be installed on most -systems using the po plugin. - -If `$ENV{COLUMNS}` is not set, `Locale::Po4a::Common` uses -`Term::ReadKey::GetTerminalSize()` to get the terminal size. How safe -is this? - -Part of `Term::ReadKey` is written in C. Depending on the runtime -platform, this function use ioctl, environment, or C library function -calls, and may end up running the `resize` command (without -arguments). - -IMHO, using Term::ReadKey has too far reaching implications for us to -be able to guarantee anything wrt. security. Since it is anyway of no -use in our case, I suggest we define `ENV{COLUMNS}` before loading -`Locale::Po4a::Common`, just to be on the safe side. Joey? -[[--intrigeri]] - -> Update: adding an option to disable `Text::WrapI18N`, as Nicolas -> François suggested, would as a bonus disable `Term::ReadKey` -> as well. [[--intrigeri]] - -### msgmerge - -`refreshpofiles()` runs this external program. A po4a developer -answered he does "not expect any security issues from it". - -### msgfmt - -`isvalidpo()` runs this external program. Its security should be checked. - -### Fuzzing input - -I was not able to find any public information about gettext or po4a -having been tested with a fuzzing program, such as `zzuf` or `fusil`. -Moreover, some gettext parsers seem to be quite -[easy to crash](http://fusil.hachoir.org/trac/browser/trunk/fuzzers/fusil-gettext), -so it might be useful to bang msgmerge/po4a's heads against such -a program in order to easily detect some of the most obvious DoS. -[[--intrigeri]] - -> po4a was not fuzzy-tested, but according to one of its developers, -> "it would be really appreciated". [[--intrigeri]] - -Test conditions: - -- a 21M file containing 100 concatenated copies of all the files in my - `/usr/share/common-licenses/`; I had no existing PO file or - translated versions at hand, which renders these tests - quite incomplete. -- po4a was the Debian 0.34-2 package; the same tests were also run - after replacing the `Text` module with the CVS one (the core was not - changed in CVS since 0.34-2 was released), without any significant - difference in the results. -- Perl 5.10.0-16 - -#### po4a-gettextize - -`po4a-gettextize` uses more or less the same po4a features as our -`refreshpot` function. - -Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly -errors out, complaining it was not able to detect the input charset; -it leaves no incomplete file on disk. - -So I had to pretend the input was in UTF-8, as does the po plugin. - -Two ways of crashing were revealed by this command-line: - - zzuf -vc -s 0:100 -r 0.1:0.5 \ - po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \ - -m LICENSES >/dev/null - -They are: +[[po/discussion]] contains a detailed security analysis of this plugin +and its dependencies. - Malformed UTF-8 character (UTF-16 surrogate 0xdcc9) in substitution iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1443. - Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443. +When using po4a older than 0.35, it is recommended to uninstall +`Text::WrapI18N` (Debian package `libtext-wrapi18n-perl`), in order to +avoid a potential denial of service. -and - - Malformed UTF-8 character (UTF-16 surrogate 0xdcec) in substitution (s///) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443. - Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443. - -Perl seems to exit cleanly, and an incomplete PO file is written on -disk. I not sure whether if this is a bug in Perl or in `Po.pm`. - -> It's fairly standard perl behavior when fed malformed utf-8. As long as it doesn't -> crash ikiwiki, it's probably acceptable. Ikiwiki can do some similar things itself when fed malformed utf-8 (doesn't crash tho) --[[Joey]] - -#### po4a-translate - -`po4a-translate` uses more or less the same po4a features as our -`filter` function. - -Without specifying an input charset, same behaviour as -`po4a-gettextize`, so let's specify UTF-8 as input charset as of now. - - zzuf -cv \ - po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \ - -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr - -... prints tons of occurences of the following error, but a complete -translated document is written (obviously with some weird chars -inside): - - Use of uninitialized value in string ne at /usr/share/perl5/Locale/Po4a/TransTractor.pm line 854. - Use of uninitialized value in string ne at /usr/share/perl5/Locale/Po4a/TransTractor.pm line 840. - Use of uninitialized value in pattern match (m//) at /usr/share/perl5/Locale/Po4a/Po.pm line 1002. - -While: - - zzuf -cv -s 0:10 -r 0.001:0.3 \ - po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \ - -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr - -... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step, -against some kind of infinite loop, deadlock, or any similar beast. -It does not seem to eat memory, though. - -Whatever format module is used does not change anything. This is thus -probably a bug in po4a's core or in a lib it depends on. - -The sub `read`, in `TransTractor.pm`, seems to be a good debugging -starting point. - -#### msgmerge - -`msgmerge` is run in our `refreshpofiles` function. I did not manage -to crash it with `zzuf`. - -gettext/po4a rough corners --------------------------- - -- fix infinite loop when synchronizing two ikiwiki (when checkouts - live in different directories): say bla.fr.po has been updated in - repo2; pulling repo2 from repo1 seems to trigger a PO update, that - changes bla.fr.po in repo1; then pushing repo1 to repo2 triggers - a PO update, that changes bla.fr.po in repo2; etc.; quickly fixed in - `629968fc89bced6727981c0a1138072631751fee`, by disabling references - in Pot files. Using `Locale::Po4a::write_if_needed` might be - a cleaner solution. (warning: this function runs the external - `diff` program, have to check security) -- new translations created in the web interface must get proper - charset/encoding gettext metadata, else the next automatic PO update - removes any non-ascii chars; possible solution: put such metadata - into the Pot file, and let it propagate; should be fixed in - `773de05a7a1ee68d2bed173367cf5e716884945a`, time will tell. - -Better links ------------- - -### Page title in links - -Using the fix to -[[bugs/pagetitle_function_does_not_respect_meta_titles]] from -[[intrigeri]]'s `meta` branch, the generated links' text is based on -the page titles set with the [[meta|plugins/meta]] plugin. This has to -be merged upstream, though. - -Robustness tests ----------------- - -### Enabling/disabling the plugin - -- enabling the plugin with `po_translatable_pages` set -- enabling the plugin without `po_translatable_pages` set: **OK** -- disabling the plugin: **OK** - -### Changing the plugin config - -- adding existing pages to `po_translatable_pages`: **OK** -- removing existing pages from `po_translatable_pages`: **OK** -- adding a language to `po_slave_languages`: **OK** -- removing a language from `po_slave_languages`: **OK** -- changing `po_master_language`: **OK** -- replacing `po_master_language` with a language previously part of - `po_slave_languages`: needs two rebuilds, but **OK** (this is quite - a perverse test actually) - -### Creating/deleting/renaming pages - -All cases of master/slave page creation/deletion/rename, both via RCS -and via CGI, have been tested. - -### Misc +BUGS +==== -- general test with `usedirs` disabled: **OK** -- general test with `indexpages` enabled -- general test with `po_link_to=default` +[[!inline pages="bugs/po:* and !bugs/done and !link(bugs/done) and !bugs/*/*" +feeds=no actions=no archive=yes show=0]] -Documentation -------------- +TODO +==== -Maybe write separate documentation depending on the people it targets: -translators, wiki administrators, hackers. This plugin may be complex -enough to deserve this. +[[!inline pages="todo/po:* and !todo/done and !link(todo/done) and !todo/*/*" +feeds=no actions=no archive=yes show=0]]