One can edit the PO files using ikiwiki's CGI (a message-by-message interface
could also be implemented at some point).
-If [[tips/untrusted_git_push]] is setup, one can edit the PO files in her
+If [[tips/untrusted_git_push]] is setup, one can edit the PO files in one's
preferred `$EDITOR`, without needing to be online.
TODO
- `refreshpofiles` uses `system()`, whose args have to be checked more
thoroughly to prevent any security issue (command injection, etc.).
+ > Always pass `system()` a list of parameters to avoid the shell.
+ > I've checked in a change fixing that. --[[Joey]]
- `refreshpofiles` and `refreshpot` create new files; this may need
some checks, e.g. using `IkiWiki::prep_writefile()`
+- Can any sort of directives be put in po files that will
+ cause mischief (ie, include other files, run commands, crash gettext,
+ whatever).
+- Any security issues on running po4a on untrusted content?
gettext/po4a rough corners
--------------------------
Which configuration settings are safe enough for websetup?
+> I see no problems with `po_master_language` and `po_slave_languages`
+> (assuming websetup handles the hashes correctly). Would not hurt to check
+> that the values of these are legal language codes, in `checkconfig`.
+> `po_translatable_pages` seems entirely safe. `po_link_to` w/o usedirs
+> causes ikiwiki to error out. If it were changed to fall back to a safe
+> setting in this case rather than error, it would be safe.
+> --[[Joey]]
+
### parentlinks
When the wiki home page is translatable, the parentlinks plugin sets
sipb-www / ikiwiki.git / blobdiff