From: Joey Hess <joey@kodama.kitenet.net>
Date: Wed, 5 Nov 2008 19:47:50 +0000 (-0500)
Subject: fixed one security problem, two more need review
X-Git-Tag: 3.15~403^2~5
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=6fbe214d91ca9be37d149a1e5ba11590490959aa;p=ikiwiki.git

fixed one security problem, two more need review
---

diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn
index 7ac1b3f0f..ba293f262 100644
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -227,8 +227,14 @@ Security checks
 
 - `refreshpofiles` uses `system()`, whose args have to be checked more
   thoroughly to prevent any security issue (command injection, etc.).
+  > Always pass `system()` a list of parameters to avoid the shell.
+  > I've checked in a change fixing that. --[[Joey]]
 - `refreshpofiles` and `refreshpot` create new files; this may need
   some checks, e.g. using `IkiWiki::prep_writefile()`
+- Can any sort of directives be put in po files that will
+  cause mischief (ie, include other files, run commands, crash gettext,
+  whatever).
+- Any security issues on running po4a on untrusted content?
 
 gettext/po4a rough corners
 --------------------------