[Po4a-devel] po4a against untrusted content
intrigeri
intrigeri at boum.org
Sat Nov 8 19:01:28 UTC 2008
Hello,
Nicolas François wrote (08 Nov 2008 14:08:13 GMT) :
> * The po4a's modules
> The modules are parsing the "untrusted content", the behavior of the
> modules might be changed by commands included in the content (LaTeX
> module only?), they might use some unstrusted content later in a
> regular expression.
> The module usually do not have any interface to the system (like
> reading or writing files, executing commands), but use the
> Transtractor interface for this.
I'll check the Text module for similar problems, and report back.
> If it's about external system's program, then there are some (look for
> system, qx, open, or `):
> diff might be used by Po.pm
> nsgmls is used by Sgml.pm
Being more or less a Perl newbie, I did not grep'ed for qx.
Seems the core only runs diff. We use neither write_if_needed() nor
move_po_if_needed() yet, so this will have to be checked if we start
using them at some point.
> I had some failure with WrapI18N (endless loops), which might cause DOS.
> http://bugs.debian.org/470250
> It is just used to have a better formating of the output error/warning
> mesages.
> You probably do not need this feature.
I'll try to disable its use, and report back.
> I have no reason to think that Encode::Guess is not safe. It can also be
> avoided if the encoding is always specified. (This might need some
> adaptation in po4a to only load it if needed)
I'll try to prevent this module to be used, and report back.
> Other non-required dependencies:
> Term::ReadKey
> SGMLS
> They are not dependencies for your use case.
I'll try to disable their use, and report back.
> It is not used by Locale::Po4a, but by the po4a command lines.
> However, I expect that you will have to use them.
I did not use them, but found inspiration in there, hence the use of
msgmerge to refresh the PO files.
(no need to Cc: me, I'm now on the list :)
Thanks, Nicolas, for your detailed answer.
Bye,
--
intrigeri <intrigeri at boum.org>
More information about the Po4a-devel
mailing list