aboutsummaryrefslogtreecommitdiff
path: root/doc/plugins/po/security.mdwn
blob: 3180836696800a2a635ca34527c5624788b78627 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
[[!toc levels=2]]

----

# Probable holes

_(The list of things to fix.)_

## po4a-gettextize

* po4a CVS 2009-01-16
* Perl 5.10.0

`po4a-gettextize` uses more or less the same po4a features as our
`refreshpot` function.

Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly
errors out, complaining it was not able to detect the input charset;
it leaves no incomplete file on disk. I therefore had to pretend the
input was in UTF-8, as does the po plugin.

        zzuf -c -s 13 -r 0.1 \
            po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \
             -m GPL-3 -p GPL-3.pot

Crashes with:

        Malformed UTF-8 character (UTF-16 surrogate 0xdfa4) in substitution
        iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1449.
        Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm
        line 1449.

An incomplete pot file is left on disk. Unfortunately Po.pm tells us
nothing about the place where the crash happens.

> It's fairly standard perl behavior when fed malformed utf-8. As long
> as it doesn't crash ikiwiki, it's probably acceptable. Ikiwiki can
> do some similar things itself when fed malformed utf-8 (doesn't
> crash tho) --[[Joey]]

----

# Potential gotchas

_(Things not to do.)_


## Blindly activating more po4a format modules

The format modules we want to use have to be checked, as not all are
safe (e.g. the LaTeX module's behaviour is changed by commands
included in the content); they may use regexps generated from
the content.

----

# Hopefully non-holes

_(AKA, the assumptions that will be the root of most security holes...)_

## PO file features

No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
directive that can be put in po files is supposed to cause mischief
(ie, include other files, run commands, crash gettext, whatever).

## gettext

### Security history

The only past security issue I could find in GNU gettext is
[CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
*i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
the autopoint and gettextize scripts in the GNU gettext package (1.14
and later versions) may allow local users to overwrite files via
a symlink attack on temporary files.

This plugin would not have allowed to exploit this bug, as it does not
use, either directly or indirectly, the faulty scripts.

Note: the lack of found security issues can either indicate that there
are none, or reveal that no-one ever bothered to find or publish them.

### msgmerge

`refreshpofiles()` runs this external program.

* I was not able to crash it with `zzuf`.
* I could not find any past security hole.

### msgfmt

`isvalidpo()` runs this external program.

* I was not able to make it behave badly using zzuf: it exits cleanly
  when too many errors are detected.
* I could not find any past security hole.

## po4a

### Security history

The only past security issue I could find in po4a is
[CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
`lib/Locale/Po4a/Po.pm` in po4a before 0.32 allowed local users to
overwrite arbitrary files via a symlink attack on the
gettextization.failed.po temporary file.

This plugin would not have allowed to exploit this bug, as it does not
use, either directly or indirectly, the faulty `gettextize` function.

Note: the lack of found security issues can either indicate that there
are none, or reveal that no-one ever bothered to find or publish them.

### General feeling

Are there any security issues on running po4a on untrusted content?

To say the least, this issue is not well covered, at least publicly:

* the documentation does not talk about it;
* grep'ing the source code for `security` or `trust` gives no answer.

On the other hand, a po4a developer answered my questions in
a convincing manner, stating that processing untrusted content was not
an initial goal, and analysing in detail the possible issues.
The following analysis was done with his help.

### Details

* the core (`Po.pm`, `Transtractor.pm`) should be safe
* po4a source code was fully checked for other potential symlink
  attacks, after discovery of one such issue
* the only external program run by the core is `diff`, in `Po.pm` (in
  parts of its code we don't use)
* `Locale::gettext` is only used to display translated error messages
* Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to
  think that `Encode` is not safe"
* Nicolas François has "no reason to think that `Encode::Guess` is not
  safe". The po plugin nevertheless avoids using it by defining the
  input charset (`file_in_charset`) before asking `TransTractor` to
  read any file. NB: this hack depends on po4a internals.

#### Locale::Po4a::Text

* does not run any external program
* only `do_paragraph()` builds regexp's that expand untrusted
  variables; according to [[Joey]], this is "Freaky code, but seems ok
  due to use of `quotementa`".

#### Text::WrapI18N

`Text::WrapI18N` can cause DoS
([Debian bug #470250](http://bugs.debian.org/470250)).
It is optional, and we do not need the features it provides.

If a recent enough po4a (>=2009-01-15 CVS, which will probably be
released as 0.35) is installed, this module's use is fully disabled.
Else, the wiki administrator is warned about this at runtime.

#### Term::ReadKey

`Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a
works nicely without it. But the po4a Debian package recommends
`libterm-readkey-perl`, so it will probably be installed on most
systems using the po plugin.

`Term::ReadKey` has too far reaching implications for us to
be able to guarantee anything wrt. security.

If a recent enough po4a (>=2009-01-15 CVS, which will probably be
released as 0.35) is installed, this module's use is fully disabled.

#### Fuzzing input

##### po4a-translate

* po4a CVS 2009-01-16
* Perl 5.10.0

`po4a-translate` uses more or less the same po4a features as our
`filter` function.

Without specifying an input charset, same behaviour as
`po4a-gettextize`, so let's specify UTF-8 as input charset as of now.

`LICENSES` is a 21M file containing 100 concatenated copies of all the
files in `/usr/share/common-licenses/`; I had no existing PO file or
translated versions at hand, which renders these tests
quite incomplete.

        zzuf -cv -s 0:10 -r 0.001:0.3 \
          po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \
            -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr

... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step,
against some kind of infinite loop, deadlock, or any similar beast.

The root of this bug lies in `Text::WrapI18N`, see the corresponding
section.


----

# Fixed holes