Re: [Po4a-devel] po4a against untrusted content
Hello,
Nicolas François wrote (08 Nov 2008 14:08:13 GMT) :
* The po4a's modules
The modules are parsing the "untrusted content", the behavior of the
modules might be changed by commands included in the content (LaTeX
module only?), they might use some unstrusted content later in a
regular expression.
The module usually do not have any interface to the system (like
reading or writing files, executing commands), but use the
Transtractor interface for this.
I'll check the Text module for similar problems, and report back.
If it's about external system's program, then there are some
(look for
system, qx, open, or `):
diff might be used by Po.pm
nsgmls is used by Sgml.pm
Being more or less a Perl newbie, I did not grep'ed for qx.
Seems the core only runs diff. We use neither write_if_needed() nor
move_po_if_needed() yet, so this will have to be checked if we start
using them at some point.
I had some failure with WrapI18N (endless loops), which might cause
DOS.
http://bugs.debian.org/470250
It is just used to have a better formating of the output error/warning
mesages.
You probably do not need this feature.
I'll try to disable its use, and report back.
I have no reason to think that Encode::Guess is not safe. It can also
be
avoided if the encoding is always specified. (This might need some
adaptation in po4a to only load it if needed)
I'll try to prevent this module to be used, and report back.
Other non-required dependencies:
Term::ReadKey
SGMLS
They are not dependencies for your use case.
I'll try to disable their use, and report back.
It is not used by Locale::Po4a, but by the po4a command lines.
However, I expect that you will have to use them.
I did not use them, but found inspiration in there, hence the use of
msgmerge to refresh the PO files.
(no need to Cc: me, I'm now on the list :)
Thanks, Nicolas, for your detailed answer.
Bye,
--
intrigeri <intrigeri(a)boum.org>