[Po4a-devel] po4a against untrusted content
Nicolas François
nicolas.francois at centraliens.net
Sat Nov 8 20:27:22 UTC 2008
Hello,
On Sat, Nov 08, 2008 at 08:01:28PM +0100, intrigeri at boum.org wrote:
>
> Nicolas François wrote (08 Nov 2008 14:08:13 GMT) :
>
> > * The po4a's modules
> > The modules are parsing the "untrusted content", the behavior of the
> > modules might be changed by commands included in the content (LaTeX
> > module only?), they might use some unstrusted content later in a
> > regular expression.
> > The module usually do not have any interface to the system (like
> > reading or writing files, executing commands), but use the
> > Transtractor interface for this.
>
> I'll check the Text module for similar problems, and report back.
Note: the Text module had significant changes since the last release.
Please use the CVS version.
(CVS adds support for asciidoc)
> > I had some failure with WrapI18N (endless loops), which might cause DOS.
> > http://bugs.debian.org/470250
> > It is just used to have a better formating of the output error/warning
> > mesages.
> > You probably do not need this feature.
>
> I'll try to disable its use, and report back.
Currently, it is used if present.
It should thus be easy to add an option to always disable it.
> > Other non-required dependencies:
> > Term::ReadKey
> > SGMLS
>
> > They are not dependencies for your use case.
>
> I'll try to disable their use, and report back.
It makes me think that for the usage in a ikiwiki module, you may have to
change the change the way errors and warning are reported.
(Term::ReadKey is used to get the size of the terminal to format the
warnings)
Best Regards,
--
Nekral
More information about the Po4a-devel
mailing list