X-Git-Url: http://git.tremily.us/?a=blobdiff_plain;f=doc%2Fplugins%2Fpo.mdwn;h=f6405f3b3e6ec65c362265fa7de2425719feccce;hb=586e6e33621916d5177f0493bad54810de3149dc;hp=919864ede5952e9a613f5c9aa7ec6ed22658b913;hpb=5852f03efacb391f97d3d68e98ec8888cd09dc84;p=ikiwiki.git diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn index 919864ede..f6405f3b3 100644 --- a/doc/plugins/po.mdwn +++ b/doc/plugins/po.mdwn @@ -399,6 +399,10 @@ use in our case, I suggest we define `ENV{COLUMNS}` before loading `refreshpofiles()` runs this external program. A po4a developer answered he does "not expect any security issues from it". +### msgfmt + +`isvalidpo()` runs this external program. Its security should be checked. + ### Fuzzing input I was not able to find any public information about gettext or po4a @@ -530,27 +534,13 @@ be merged upstream, though. Translation quality assurance ----------------------------- -Modifying a PO file via the CGI must be forbidden if the new version -is not a valid PO file. As a bonus, check that it provides a more -complete translation than the existing one. - -A new `cansave` type of hook would be needed to implement this. +Modifying a PO file via the CGI is already forbidden if the new +version is not a valid PO file. As a bonus, check that it provides +a more complete translation than the existing one. Note: committing to the underlying repository is a way to bypass this check. -Creating new pages on the web ------------------------------ - -See [[contrib/po|contrib/po]]. - -Renaming/deleting pages ------------------------ - -Renaming or deleting a translation in the CGI should be forbidden. -Implementing this requires two new hooks: `canrename` and `canremove`, -that would be run respectively by the `rename` and the `remove` plugins. - Robustness tests ---------------- @@ -604,3 +594,11 @@ Documentation Maybe write separate documentation depending on the people it targets: translators, wiki administrators, hackers. This plugin may be complex enough to deserve this. + +Gettext-ize the plugin code. + +Misc +---- + +* Can the form validation system be used instead of creating the + `cansave` hook?