po(doc): moved security analysis to its own page

Signed-off-by: intrigeri <intrigeri@boum.org>
2009-01-17 13:50:19 +01:00 · 2009-01-17 13:50:19 +01:00 · 40de619d49
parent df82b5e62a
commit 40de619d49
2 changed files with 238 additions and 241 deletions
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@ -86,8 +86,8 @@ If `po_link_to` is set to `current`, `\[[destpage]]` links to the
 `destpage`'s version written in the current page's language, if
 available, *i.e.*:
- `foo/destpage/index.LL.html` if `usedirs` is enabled
+* `foo/destpage/index.LL.html` if `usedirs` is enabled
- `foo/destpage.LL.html` if `usedirs` is disabled
+* `foo/destpage.LL.html` if `usedirs` is disabled
 ### Link to negotiated language
@ -96,10 +96,10 @@ negotiated preferred language, *i.e.* `foo/page/`.
 (In)compatibility notes:
- if `usedirs` is disabled, it does not make sense to set `po_link_to`
+* if `usedirs` is disabled, it does not make sense to set `po_link_to`
  to `negotiated`; this option combination is neither implemented
  nor allowed.
- if the web server does not support Content Negotiation, setting
+* if the web server does not support Content Negotiation, setting
  `po_link_to` to `negotiated` will produce a unusable website.
@ -166,11 +166,11 @@ One typically adds the following code to `templates/page.tmpl`:
 The following variables are available inside the loop (for every page in):
- `URL` - url to the page
+* `URL` - url to the page
- `CODE` - two-letters language code
+* `CODE` - two-letters language code
- `LANGUAGE` - language name (as defined in `po_slave_languages`)
+* `LANGUAGE` - language name (as defined in `po_slave_languages`)
- `MASTER` - is true (1) if, and only if the page is a "master" page
+* `MASTER` - is true (1) if, and only if the page is a "master" page
- `PERCENT` - for "slave" pages, is set to the translation completeness, in percents
+* `PERCENT` - for "slave" pages, is set to the translation completeness, in percents
 ### Display the current translation status
@ -240,228 +240,19 @@ correctly on the slave pages:
  could be used to support them, but they would need a security audit
 * other markup languages have not been tested.
 Security
 ========
 [[./security]] contains a detailed security analysis of this plugin
 and its dependencies.
 When using po4a older than 0.35, it is recommended to uninstall
 `Text::WrapI18N` (Debian package `libtext-wrapi18n-perl`), in order to
 avoid a potential denial of service.
 TODO
 ====
 Security checks
 ---------------
 ### Security history
 The only past security issues I could find in GNU gettext and po4a
 are:
 - [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
  *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
  the autopoint and gettextize scripts in the GNU gettext package
  1.14 and later versions, as used in Trustix Secure Linux 1.5
  through 2.1 and other operating systems, allows local users to
  overwrite files via a symlink attack on temporary files.
 - [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
  `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allows local users to
  overwrite arbitrary files via a symlink attack on the
  gettextization.failed.po temporary file.
 **FIXME**: check whether this plugin would have been a possible attack
 vector to exploit these vulnerabilities.
 Depending on my mood, the lack of found security issues can either
 indicate that there are none, or reveal that no-one ever bothered to
 find (and publish) them.
 ### PO file features
 Can any sort of directives be put in po files that will cause mischief
 (ie, include other files, run commands, crash gettext, whatever)?
 > No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
 > directive is supposed to do so. [[--intrigeri]]
 ### Running po4a on untrusted content
 Are there any security issues on running po4a on untrusted content?
 To say the least, this issue is not well covered, at least publicly:
 - the documentation does not talk about it;
 - grep'ing the source code for `security` or `trust` gives no answer.
 On the other hand, a po4a developer answered my questions in
 a convincing manner, stating that processing untrusted content was not
 an initial goal, and analysing in detail the possible issues.
 #### Already checked
 - the core (`Po.pm`, `Transtractor.pm`) should be safe
 - po4a source code was fully checked for other potential symlink
  attacks, after discovery of one such issue
 - the only external program run by the core is `diff`, in `Po.pm` (in
  parts of its code we don't use)
 - `Locale::gettext`: only used to display translated error messages
 - Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to
  think that `Encode` is not safe"
 - Nicolas François has "no reason to think that `Encode::Guess` is not
  safe". The po plugin nevertheless avoids using it by defining the
  input charset (`file_in_charset`) before asking `Transtractor` to
  read any file. NB: this hack depends on po4a internals to stay
  the same.
 ##### Locale::Po4a modules
 The modules we want to use have to be checked, as not all are safe
 (e.g. the LaTeX module's behaviour is changed by commands included in
 the content); they may use regexps generated from the content.
 `Chooser.pm` only loads the plugin we tell it too: currently, this
 means the `Text` module only.
 `Text` module (I checked the CVS version):
 - it does not run any external program
 - only `do_paragraph()` builds regexp's that expand untrusted
  variables; they seem safe to me, but someone more expert than me
  will need to check. Joey?
  > Freaky code, but seems ok due to use of `quotementa`.
 #### To be checked
 ##### Text::WrapI18N
 `Text::WrapI18N` can cause DoS (see the
 [Debian bug #470250](http://bugs.debian.org/470250)), but it is
 optional and we do not need the features it provides.
 > If a recent enough po4a is installed, this module's use is fully disabled.
 > This feature has been merged in po4a CVS on 2009-01-15. --[[intrigeri]]
 ##### Term::ReadKey
 `Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a
 works nicely without it. But the po4a Debian package recommends
 `libterm-readkey-perl`, so it will probably be installed on most
 systems using the po plugin.
 `Term::ReadKey` has too far reaching implications for us to
 be able to guarantee anything wrt. security.
 > The option that disables `Text::WrapI18N` also disables
 > `Term::ReadKey` as a consequence. [[--intrigeri]]
 ### msgmerge
 `refreshpofiles()` runs this external program.
 A po4a developer answered he does "not expect any security issues from
 it". I did not manage to crash it with `zzuf`, nor was able to find
 any past security holes.
 ### msgfmt
 `isvalidpo()` runs this external program.
 * I could not manage to make it behave badly using zzuf, it exits
  cleanly when too many errors are detected.
 * I could not find any past security holes.
 ### Fuzzing input
 Test conditions:
 - a 21M file containing 100 concatenated copies of all the files in my
  `/usr/share/common-licenses/`; I had no existing PO file or
  translated versions at hand, which renders these tests
  quite incomplete.
 - po4a was the Debian 0.34-2 package; the same tests were also run
  after replacing the `Text` module with the CVS one (the core was not
  changed in CVS since 0.34-2 was released), without any significant
  difference in the results.
 - Perl 5.10.0-16
 #### po4a-gettextize
 `po4a-gettextize` uses more or less the same po4a features as our
 `refreshpot` function.
 Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly
 errors out, complaining it was not able to detect the input charset;
 it leaves no incomplete file on disk.
 So I had to pretend the input was in UTF-8, as does the po plugin.
 Two ways of crashing were revealed by this command-line:
        zzuf -vc -s 0:100 -r 0.1:0.5 \
          po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \
            -m LICENSES >/dev/null
 They are:
        Malformed UTF-8 character (UTF-16 surrogate 0xdcc9) in substitution iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1443.
        Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443.
 and
        Malformed UTF-8 character (UTF-16 surrogate 0xdcec) in substitution (s///) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443.
        Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm line 1443.
 Perl seems to exit cleanly, and an incomplete PO file is written on
 disk. I not sure whether if this is a bug in Perl or in `Po.pm`.
 > It's fairly standard perl behavior when fed malformed utf-8. As long as it doesn't
 > crash ikiwiki, it's probably acceptable. Ikiwiki can do some similar things itself when fed malformed utf-8 (doesn't crash tho) --[[Joey]]
 #### po4a-translate
 `po4a-translate` uses more or less the same po4a features as our
 `filter` function.
 Without specifying an input charset, same behaviour as
 `po4a-gettextize`, so let's specify UTF-8 as input charset as of now.
        zzuf -cv \
          po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \
            -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr
 ... prints tons of occurences of the following error, but a complete
 translated document is written (obviously with some weird chars
 inside):
        Use of uninitialized value in string ne at /usr/share/perl5/Locale/Po4a/TransTractor.pm line 854.
        Use of uninitialized value in string ne at /usr/share/perl5/Locale/Po4a/TransTractor.pm line 840.
        Use of uninitialized value in pattern match (m//) at /usr/share/perl5/Locale/Po4a/Po.pm line 1002.
 While:
        zzuf -cv -s 0:10 -r 0.001:0.3 \
          po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \
            -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr
 ... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step,
 against some kind of infinite loop, deadlock, or any similar beast.
 The root of this bug lies in `Text::WrapI18N`, see above for
 possible solutions.
 gettext/po4a rough corners
 --------------------------
 - fix infinite loop when synchronizing two ikiwiki (when checkouts
  live in different directories): say bla.fr.po has been updated in
  repo2; pulling repo2 from repo1 seems to trigger a PO update, that
  changes bla.fr.po in repo1; then pushing repo1 to repo2 triggers
  a PO update, that changes bla.fr.po in repo2; etc.; quickly fixed in
  `629968fc89bced6727981c0a1138072631751fee`, by disabling references
  in Pot files. Using `Locale::Po4a::write_if_needed` might be
  a cleaner solution. (warning: this function runs the external
  `diff` program, have to check security)
 - new translations created in the web interface must get proper
  charset/encoding gettext metadata, else the next automatic PO update
  removes any non-ascii chars; possible solution: put such metadata
  into the Pot file, and let it propagate; should be fixed in
  `773de05a7a1ee68d2bed173367cf5e716884945a`, time will tell.
 Better links
 ------------
@ -478,19 +269,19 @@ Robustness tests
 ### Enabling/disabling the plugin
- enabling the plugin with `po_translatable_pages` set to blacklist: **OK**
+* enabling the plugin with `po_translatable_pages` set to blacklist: **OK**
- enabling the plugin with `po_translatable_pages` set to whitelist: **OK**
+* enabling the plugin with `po_translatable_pages` set to whitelist: **OK**
- enabling the plugin without `po_translatable_pages` set: **OK**
+* enabling the plugin without `po_translatable_pages` set: **OK**
- disabling the plugin: **OK**
+* disabling the plugin: **OK**
 ### Changing the plugin config
- adding existing pages to `po_translatable_pages`: **OK**
+* adding existing pages to `po_translatable_pages`: **OK**
- removing existing pages from `po_translatable_pages`: **OK**
+* removing existing pages from `po_translatable_pages`: **OK**
- adding a language to `po_slave_languages`: **OK**
+* adding a language to `po_slave_languages`: **OK**
- removing a language from `po_slave_languages`: **OK**
+* removing a language from `po_slave_languages`: **OK**
- changing `po_master_language`: **OK**
+* changing `po_master_language`: **OK**
- replacing `po_master_language` with a language previously part of
+* replacing `po_master_language` with a language previously part of
  `po_slave_languages`: needs two rebuilds, but **OK** (this is quite
  a perverse test actually)
@ -501,10 +292,10 @@ and via CGI, have been tested.
 ### Misc
- general test with `usedirs` disabled: **OK**
+* general test with `usedirs` disabled: **OK**
- general test with `indexpages` enabled: **not OK**
+* general test with `indexpages` enabled: **not OK**
- general test with `po_link_to=default` with `userdirs` enabled: **OK**
+* general test with `po_link_to=default` with `userdirs` enabled: **OK**
- general test with `po_link_to=default` with `userdirs` disabled: **OK**
+* general test with `po_link_to=default` with `userdirs` disabled: **OK**
 Misc. bugs
 ----------
--- a/doc/plugins/po/security.mdwn
+++ b/doc/plugins/po/security.mdwn
@ -0,0 +1,206 @@
 [[!toc levels=2]]
 ----
 # Probable holes
 _(The list of things to fix.)_
 ## po4a-gettextize
 * po4a CVS 2009-01-16
 * Perl 5.10.0
 `po4a-gettextize` uses more or less the same po4a features as our
 `refreshpot` function.
 Without specifying an input charset, zzuf'ed `po4a-gettextize` quickly
 errors out, complaining it was not able to detect the input charset;
 it leaves no incomplete file on disk. I therefore had to pretend the
 input was in UTF-8, as does the po plugin.
        zzuf -c -s 13 -r 0.1 \
            po4a-gettextize -f text -o markdown -M utf-8 -L utf-8 \
             -m GPL-3 -p GPL-3.pot
 Crashes with:
        Malformed UTF-8 character (UTF-16 surrogate 0xdfa4) in substitution
        iterator at /usr/share/perl5/Locale/Po4a/Po.pm line 1449.
        Malformed UTF-8 character (fatal) at /usr/share/perl5/Locale/Po4a/Po.pm
        line 1449.
 An incomplete pot file is left on disk. Unfortunately Po.pm tells us
 nothing about the place where the crash happens.
 > It's fairly standard perl behavior when fed malformed utf-8. As long
 > as it doesn't crash ikiwiki, it's probably acceptable. Ikiwiki can
 > do some similar things itself when fed malformed utf-8 (doesn't
 > crash tho) --[[Joey]]
 ----
 # Potential gotchas
 _(Things not to do.)_
 ## Blindly activating more po4a format modules
 The format modules we want to use have to be checked, as not all are
 safe (e.g. the LaTeX module's behaviour is changed by commands
 included in the content); they may use regexps generated from
 the content.
 ----
 # Hopefully non-holes
 _(AKA, the assumptions that will be the root of most security holes...)_
 ## PO file features
 No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
 directive that can be put in po files is supposed to cause mischief
 (ie, include other files, run commands, crash gettext, whatever).
 ## gettext
 ### Security history
 The only past security issue I could find in GNU gettext is
 [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
 *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
 the autopoint and gettextize scripts in the GNU gettext package (1.14
 and later versions) may allow local users to overwrite files via
 a symlink attack on temporary files.
 This plugin would not have allowed to exploit this bug, as it does not
 use, either directly or indirectly, the faulty scripts.
 Note: the lack of found security issues can either indicate that there
 are none, or reveal that no-one ever bothered to find or publish them.
 ### msgmerge
 `refreshpofiles()` runs this external program.
 * I was not able to crash it with `zzuf`.
 * I could not find any past security hole.
 ### msgfmt
 `isvalidpo()` runs this external program.
 * I was not able to make it behave badly using zzuf: it exits cleanly
  when too many errors are detected.
 * I could not find any past security hole.
 ## po4a
 ### Security history
 The only past security issue I could find in po4a is
 [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
 `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allowed local users to
 overwrite arbitrary files via a symlink attack on the
 gettextization.failed.po temporary file.
 This plugin would not have allowed to exploit this bug, as it does not
 use, either directly or indirectly, the faulty `gettextize` function.
 Note: the lack of found security issues can either indicate that there
 are none, or reveal that no-one ever bothered to find or publish them.
 ### General feeling
 Are there any security issues on running po4a on untrusted content?
 To say the least, this issue is not well covered, at least publicly:
 * the documentation does not talk about it;
 * grep'ing the source code for `security` or `trust` gives no answer.
 On the other hand, a po4a developer answered my questions in
 a convincing manner, stating that processing untrusted content was not
 an initial goal, and analysing in detail the possible issues.
 The following analysis was done with his help.
 ### Details
 * the core (`Po.pm`, `Transtractor.pm`) should be safe
 * po4a source code was fully checked for other potential symlink
  attacks, after discovery of one such issue
 * the only external program run by the core is `diff`, in `Po.pm` (in
  parts of its code we don't use)
 * `Locale::gettext` is only used to display translated error messages
 * Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to
  think that `Encode` is not safe"
 * Nicolas François has "no reason to think that `Encode::Guess` is not
  safe". The po plugin nevertheless avoids using it by defining the
  input charset (`file_in_charset`) before asking `TransTractor` to
  read any file. NB: this hack depends on po4a internals.
 #### Locale::Po4a::Text
 * does not run any external program
 * only `do_paragraph()` builds regexp's that expand untrusted
  variables; according to [[Joey]], this is "Freaky code, but seems ok
  due to use of `quotementa`".
 #### Text::WrapI18N
 `Text::WrapI18N` can cause DoS
 ([Debian bug #470250](http://bugs.debian.org/470250)).
 It is optional, and we do not need the features it provides.
 If a recent enough po4a (>=2009-01-15 CVS, which will probably be
 released as 0.35) is installed, this module's use is fully disabled.
 Else, the wiki administrator is warned about this at runtime.
 #### Term::ReadKey
 `Term::ReadKey` is not a hard dependency in our case, *i.e.* po4a
 works nicely without it. But the po4a Debian package recommends
 `libterm-readkey-perl`, so it will probably be installed on most
 systems using the po plugin.
 `Term::ReadKey` has too far reaching implications for us to
 be able to guarantee anything wrt. security.
 If a recent enough po4a (>=2009-01-15 CVS, which will probably be
 released as 0.35) is installed, this module's use is fully disabled.
 #### Fuzzing input
 ##### po4a-translate
 * po4a CVS 2009-01-16
 * Perl 5.10.0
 `po4a-translate` uses more or less the same po4a features as our
 `filter` function.
 Without specifying an input charset, same behaviour as
 `po4a-gettextize`, so let's specify UTF-8 as input charset as of now.
 `LICENSES` is a 21M file containing 100 concatenated copies of all the
 files in `/usr/share/common-licenses/`; I had no existing PO file or
 translated versions at hand, which renders these tests
 quite incomplete.
        zzuf -cv -s 0:10 -r 0.001:0.3 \
          po4a-translate -d -f text -o markdown -M utf-8 -L utf-8 \
            -k 0 -m LICENSES -p LICENSES.fr.po -l test.fr
 ... seems to lose the fight, at the `readpo(LICENSES.fr.po)` step,
 against some kind of infinite loop, deadlock, or any similar beast.
 The root of this bug lies in `Text::WrapI18N`, see the corresponding
 section.
 ----
 # Fixed holes