Hello,
in the process of writing a translation plugin[1] for ikiwiki[2],
using po4a, we wondered how safe it was to run po4a on
untrusted content. Hence the following questions.
(You might need to know, in order to provide an accurate answer, that
we actually don't use /usr/bin/po4a* at all, but rather the
Locale::Po4a Perl module.)
Was po4a designed with "processing safely on untrusted content" as
a goal? If not, do you consider it is now achieved as a side effect?
About the external dependencies:
- I could not find any command execution in Locale::Po4a, did I miss
some?
- The first glance makes me think that Locale::gettext is used only to
display translated messages; can you please confirm this?
- Amongst the dependencies (I could quickly list DynaLoader, Encode,
Encode::Guess, Text::WrapI18N, Locale::gettext), is there one (or
more) that you know to be unsafe to process untrusted content?
- What about the msgmerge command, that po4a command-line programs
use, as well as this ikiwiki plugin?
Was the full code checked for symlink attacks when CVE-2007-4462
was fixed?
Was po4a tested with a fuzzing program? Would you be interested in the
results if I did this?
[1]
http://ikiwiki.info/plugins/contrib/po/
[2]
http://ikiwiki.info
Bye,
--
intrigeri <intrigeri(a)boum.org>