[Po4a-devel] po4a against untrusted content

intrigeri intrigeri at boum.org
Sat Nov 8 19:01:28 UTC 2008 

Hello,

Nicolas François wrote (08 Nov 2008 14:08:13 GMT) :

>  * The po4a's modules
>    The modules are parsing the "untrusted content", the behavior of the
>    modules might be changed by commands included in the content (LaTeX
>    module only?), they might use some unstrusted content later in a
>    regular expression.
>    The module usually do not have any interface to the system (like
>    reading or writing files, executing commands), but use the
>    Transtractor interface for this.

I'll check the Text module for similar problems, and report back.

> If it's about external system's program, then there are some (look for
> system, qx, open, or `):

> diff might be used by Po.pm
> nsgmls is used by Sgml.pm

Being more or less a Perl newbie, I did not grep'ed for qx.

Seems the core only runs diff. We use neither write_if_needed() nor
move_po_if_needed() yet, so this will have to be checked if we start
using them at some point.

> I had some failure with WrapI18N (endless loops), which might cause DOS.
> http://bugs.debian.org/470250
> It is just used to have a better formating of the output error/warning
> mesages.
> You probably do not need this feature.

I'll try to disable its use, and report back.

> I have no reason to think that Encode::Guess is not safe. It can also be
> avoided if the encoding is always specified. (This might need some
> adaptation in po4a to only load it if needed)

I'll try to prevent this module to be used, and report back.

> Other non-required dependencies:
>  Term::ReadKey
>  SGMLS

> They are not dependencies for your use case.

I'll try to disable their use, and report back.

> It is not used by Locale::Po4a, but by the po4a command lines.
> However, I expect that you will have to use them.

I did not use them, but found inspiration in there, hence the use of
msgmerge to refresh the PO files.

(no need to Cc: me, I'm now on the list :)

Thanks, Nicolas, for your detailed answer.

Bye,
--
  intrigeri <intrigeri at boum.org>

More information about the Po4a-devel mailing list