X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/c96dd00480b8c0d18f74d42d3b6820f1cdd67240..86edd539f4995b49e57086e055b0c9a5571b2ff3:/doc/plugins/po.mdwn diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn index 1526798d1..6c0d49197 100644 --- a/doc/plugins/po.mdwn +++ b/doc/plugins/po.mdwn @@ -6,6 +6,8 @@ gettext, using [po4a](http://po4a.alioth.debian.org/). It depends on the Perl `Locale::Po4a::Po` library (`apt-get install po4a`). +[[!toc]] + Introduction ============ @@ -215,20 +217,70 @@ TODO Security checks --------------- -- `refreshpofiles` uses `system()`, whose args have to be checked more - thoroughly to prevent any security issue (command injection, etc.). - > Always pass `system()` a list of parameters to avoid the shell. - > I've checked in a change fixing that. --[[Joey]] -- `refreshpofiles` and `refreshpot` create new files; this may need - some checks, e.g. using `IkiWiki::prep_writefile()` - > Yes, it would be ideal to call `prep_writefile` on each file - > that they write, beforehand. This way you'd avoid symlink attacks etc to the - > generated po/pot files. I haven't done it, but it seems pretty trivial. - > --[[Joey]] -- Can any sort of directives be put in po files that will - cause mischief (ie, include other files, run commands, crash gettext, - whatever). -- Any security issues on running po4a on untrusted content? +### Security history + +The only past security issues I could find in GNU gettext and po4a +are: + +- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966), + *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283): + the autopoint and gettextize scripts in the GNU gettext package + 1.14 and later versions, as used in Trustix Secure Linux 1.5 + through 2.1 and other operating systems, allows local users to + overwrite files via a symlink attack on temporary files. +- [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462): + `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allows local users to + overwrite arbitrary files via a symlink attack on the + gettextization.failed.po temporary file. + +**FIXME**: check whether this plugin would have been a possible attack +vector to exploit these vulnerabilities. + +Depending on my mood, the lack of found security issues can either +indicate that there are none, or reveal that no-one ever bothered to +find (and publish) them. + +### PO file features + +Can any sort of directives be put in po files that will cause mischief +(ie, include other files, run commands, crash gettext, whatever)? + +> No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files) +> directive is supposed to do so. + +### Running po4a on untrusted content + +Are there any security issues on running po4a on untrusted content? + +> To say the least, this issue is not well covered, at least publicly: +> +> - the documentation does not talk about it; +> - grep'ing the source code for `security` or `trust` gives no answer. +> +> I'll ask their opinion to the po4a maintainers. +> +> I'm not in a position to audit the code, but I had a look anyway: +> +> - no use of `system()`, `exec()` or backticks in `Locale::Po4a`; are +> there any other way to run external programs in Perl? +> - a symlink attack vulnerability was already discovered, so I "hope" +> the code has been checked to find some more already +> - the po4a parts we are using themselves use the following Perl +> modules: `DynaLoader`, `Encode`, `Encode::Guess`, +> `Text::WrapI18N`, `Locale::gettext` (`bindtextdomain`, +> `textdomain`, `gettext`, `dgettext`) +> +> --[[intrigeri]] + +### Fuzzing input + +I was not able to find any public information about gettext or po4a +having been tested with a fuzzing program, such as `zzuf` or `fusil`. +Moreover, some gettext parsers seem to be quite +[easy to crash](http://fusil.hachoir.org/trac/browser/trunk/fuzzers/fusil-gettext), +so it might be useful to bang gettext/po4a's heads against such +a program in order to easily detect some of the most obvious DoS. +[[--intrigeri]] gettext/po4a rough corners -------------------------- @@ -237,8 +289,10 @@ gettext/po4a rough corners live in different directories): say bla.fr.po has been updated in repo2; pulling repo2 from repo1 seems to trigger a PO update, that changes bla.fr.po in repo1; then pushing repo1 to repo2 triggers - a PO update, that changes bla.fr.po in repo2; etc.; fixed in - `629968fc89bced6727981c0a1138072631751fee`? + a PO update, that changes bla.fr.po in repo2; etc.; quickly fixed in + `629968fc89bced6727981c0a1138072631751fee`, by disabling references + in Pot files. Using `Locale::Po4a::write_if_needed` might be + a cleaner solution. - new translations created in the web interface must get proper charset/encoding gettext metadata, else the next automatic PO update removes any non-ascii chars; possible solution: put such metadata @@ -255,27 +309,6 @@ does. This is actually a duplicate for [[bugs/pagetitle_function_does_not_respect_meta_titles]], which might be fixed by something like [[todo/using_meta_titles_for_parentlinks]]. -### websetup - -Which configuration settings are safe enough for websetup? - -> I see no problems with `po_master_language` and `po_slave_languages` -> (assuming websetup handles the hashes correctly). Would not hurt to check -> that the values of these are legal language codes, in `checkconfig`. -> `po_translatable_pages` seems entirely safe. `po_link_to` w/o usedirs -> causes ikiwiki to error out. If it were changed to fall back to a safe -> setting in this case rather than error, it would be safe. -> --[[Joey]] - -### backlinks - -`po_link_to = negotiated`: if a given translatable `sourcepage.mdwn` -links to \[[destpage]], `sourcepage.LL.po` also link to \[[destpage]], -and the latter has the master page *and* all its translations listed -in the backlinks. - -`po_link_to = current`: seems to work nicely - Translation quality assurance -----------------------------