[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-i18n-doc
Subject:    Re: KGeography needs your help
From:       Nicolas Goutte <nicolasg () snafu ! de>
Date:       2005-08-10 17:08:18
Message-ID: 200508101908.18130.nicolasg () snafu ! de
[Download RAW message or body]

On Wednesday 10 August 2005 05:51, Chusslove Illich wrote:
> > [: Nicolas Goutte :]
> > However it must be seen how easy it would be for an attacker to use
> > ways similar to code injection or cross-site scripting (so in short,
> > make the non-executed string executable nevertheless.)
>
> Ok, I am out of my imagination here :) But there is also other side to
> this. What I forgot to recall before, is that scripting engine is not
> called at all if the msgstr *doesn't contain a script*. And it is not
> likely that msgstrs with placeholders for error messages, or actually any
> arguments which are arbitrary user input, would need scripting -- what
> would you script for an argument you have no clue what it might be?

Yes that would be a good point.

>
> Again, as scripts would be rare, we could set up notifications for *any*
> commited scripted message and panic if arguments it gets are indeed
> arbitrary user input...

I am thinking about having a member function like arg where you would tell 
that you do not trust it. (However I am not sure how usefull it would be.)

>
> > Well currently without scripting, there is hardly any harm that can be
> > done. If the user-given sting has any %1, may be the script will look
> > odd but that is all. May be the string from the user is very long, but
> > it is the responsability of the C++ code to disallow for example buffer
> > overflows.
>
> In the current solution I didn't implement interpretation of placeholder in
> scripts, because it didn't feel clean, and now you also give me a
> reason :) 

That is why security must be discussed. It seems that your choice was wise

(...)

Have a nice day!

[prev in list] [next in list] [prev in thread] [next in thread]