[Python-Dev] PEP 215 redux: toward a simplified consensus?
Barry A. Warsaw
barry@zope.com
Mon, 25 Feb 2002 18:04:46 -0500
>>>>> "JE" == Jeff Epler <jepler@unpythonic.dhs.org> writes:
JE> On Mon, Feb 25, 2002 at 11:25:48PM +0100, Martin v. Loewis
JE> wrote:
>> That's not a vulnerability. It assumes that the translator is
>> an attacker, or that the attacker can change the catalogs. If
>> he is or can, you could not trust them, anyway, as they could
>> cause arbitrary other failures, as well.
JE> It means that you must audit not only your source code, but
JE> also your message catalogs, to determine whether information
JE> that is supposed to remain internal to a program is not
JE> formatted into a string. Of course, it is fairly easy to do
JE> this audit by showing that the translated string doesn't
JE> contain substitution on any identifiers that the original
JE> string did not.
>From what I've been told, newer versions (possibly not yet released)
of the GNU gettext tools, will do exactly that, and understand Python
syntax too (hmm, an argument for keeping the current crop of %-string
rules?).
Alternatively, or in conjunction, you should be auditing your
translation sites to make sure that maliciously translated strings
can't access sensitive information.
-Barry