[Po4a-devel] po4a against untrusted content
Nicolas François
nicolas.francois at centraliens.net
Thu Jan 15 23:15:19 UTC 2009
Hi,
Thanks for the 2 patches (and the documentation). I committed them.
I made a change in the second one. I don't think there is a need for
checking if STDIN is a terminal, so I removed this test, and I added a
test for STDERR.
(the re-wrapped messages are usually sent to STDERR, so this STDERR check
is probably more important than STDOUT).
On Thu, Jan 15, 2009 at 06:12:58PM +0100, intrigeri at boum.org wrote:
>
> Side note: as this works around #470250, and fixes a security issue
> (exposed by my ikiwiki plugin use case), is it realistic to get
> something based on this patch into Lenny? I would happily provide the
> same patch against the po4a package currently in Lenny.
If #470250 is really a security issue (DOS, right?), I would prefer
libtext-wrapi18n-perl to be fixed. This would also provide a fix for
non-programmatic usage of the Locale::Po4a library and even usage of
libtext-wrapi18n-perl outside of po4a.
Do you think this should be raised to the security team and release team?
Best Regards,
--
Nekral
More information about the Po4a-devel
mailing list