fixed one security problem, two more need review

author Joey Hess <joey@kodama.kitenet.net>

Wed, 5 Nov 2008 19:47:50 +0000 (14:47 -0500)

committer Joey Hess <joey@kodama.kitenet.net>

Wed, 5 Nov 2008 19:47:50 +0000 (14:47 -0500)
author Joey Hess <joey@kodama.kitenet.net>
Wed, 5 Nov 2008 19:47:50 +0000 (14:47 -0500)
committer Joey Hess <joey@kodama.kitenet.net>
Wed, 5 Nov 2008 19:47:50 +0000 (14:47 -0500)
diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn

index 7ac1b3f0f98af3b9117e757f0fb8d3c78849cddd..ba293f26241822f16925406b76b59ce8868546c7 100644 (file)
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -227,8 +227,14 @@ Security checks
  
  - `refreshpofiles` uses `system()`, whose args have to be checked more
    thoroughly to prevent any security issue (command injection, etc.).
+  > Always pass `system()` a list of parameters to avoid the shell.
+  > I've checked in a change fixing that. --[[Joey]]
  - `refreshpofiles` and `refreshpot` create new files; this may need
    some checks, e.g. using `IkiWiki::prep_writefile()`
+- Can any sort of directives be put in po files that will
+  cause mischief (ie, include other files, run commands, crash gettext,
+  whatever).
+- Any security issues on running po4a on untrusted content?
  
  gettext/po4a rough corners
  --------------------------
author	Joey Hess <joey@kodama.kitenet.net>
	Wed, 5 Nov 2008 19:47:50 +0000 (14:47 -0500)
committer	Joey Hess <joey@kodama.kitenet.net>
	Wed, 5 Nov 2008 19:47:50 +0000 (14:47 -0500)