[katello-devel] Translation strings with ruby code

jesus m. rodriguez jesusr at redhat.com
Fri May 20 13:44:22 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/20/2011 09:38 AM, Bryan Kearney wrote:
> On 05/20/2011 08:51 AM, jesus m. rodriguez wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 05/20/2011 08:10 AM, Lukas Zapletal wrote:
>>> Hey,
>>>
>>> we often have strings with some ruby code, e.g.
>>>
>>> "bla bla #{some_variable}"
>>>
>>> I did not test this, but I guess these strings get extracted via gettext
>>> including the ruby code. If we use some online translation service in
>>> the future we might get into troubles.
>>>
>>> "bla bla #{User.create(name =>  'cracker', is_admin =>  true)}"
>>>
>>> To improve security I'd suggest to use the pythonic string formatting:
>>>
>>> N_("bla bla %s" % [some_variable])
>>>
>>> This could be also less cryptic for our translation teams and it could
>>> prevent typos introduced into the code with auto-translating tools.
>>>
>>> Comments?
>>>
>>
>> It this really a concern? Shouldn't we verify the strings when the
>> come back before pushing out a release? Wouldn't this be verified
>> in testing both functional and unit?
>>
>> I fear we'll be making a change to prevent a problem that may never
>> occur or could be preventable in other ways than changing how we
>> code.
>>
>> Just my 2 pesos.
>>
> 
> Who really verifies 1000 strings?

Write a script that pulls out the strings that contain 'ruby code',
that looks for possible injections. If we want to change that's fine
with me. I just think that if doing #{foo} is common in ruby strings
that making folks change is more difficult than automating some
sort of post processing script to detect possible security
issues.

If ruby folks don't care about keeping #{} in their strings, then
change all you want.

jesus

- -- 
jesus m. rodriguez          | jesusr at redhat.com
principal software engineer | irc: zeus
red hat systems management  | 919.754.4413 (w)
rhce # 805008586930012      | 919.623.0080 (c)
+---------------------------------------------+
|   "Those who cannot remember the past       |
|    are condemned to repeat it."             |
|                        -- George Santayana  |
+---------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3WcDYACgkQvJZ57YntiYPQtgCgmIADtAjD/Qp86StEyQ44tfV0
IA4AoMp5yWmjmGO14p+dyKYSOvJTga3R
=8DTA
-----END PGP SIGNATURE-----

More information about the katello-devel mailing list