Security review for tmserver:
translate/services/tmserver.py uses a translate/misc/tmdb object and exposes it
via a REST api. This api is defined in __init__() in tmserver.py, and exposes
GET, POST, PUT and DELETE. Several of the defined methods are noops and worked
as TODO. The api is simple, and arguments are sanitized. tmserver is resistant
to SQL injection via its correct use of the python Cursor object and DB-API
parameter substitution via tmdb.py. It also appears to be using the logging
module correctly in misc/wsgi.py.
Beyond the coding of tmserver.py, there are a few issues:
- tmserver.py does not support SSL so server and client interactions can be
MITMd
- there is no authentication built into tmserver.py
- the way misc/wsgi.py is coded, it will use try the following in order:
cherrypy, werkzeug, django and finally wsgiref (part of python). Upstream
doesn't appear too thrilled with wsgiref because "it doesn't support
concurrency at all". I think the way that wsgi.py is coded makes maintenance
difficult, as people may use different backends which may have different
behaviors.
The MITM does not seem to be an issue for client to server
communications, as the server is coded defensively (but obviously faulty
data could be inserted into its sqlite database). server to client
communications could be problematic depending on what the client is
doing and whether or not it trusts the server. The rdepends of
translate-toolkit are virtaal, pootle, and lokalize (all in universe).
As pootle is a "Web-based translation and translation management tool",
it may have tmserver support, but I did not check it. I don't think this
is a blocker in general, as translate-toolkit does not ship an
initscript for tmserver.py, it is not running after install and the
manpage gives an example that uses an unprivileged port.
All that said, since libreoffice needs this, but it does not explicitly
need tmserver, it would be preferred if tmserver was split out into it's
own package and put in universe, or not shipped at all. Since this is
extremely late in the Oneiric cycle, I do not hold out much hope for
this....
** Changed in: translate-toolkit (Ubuntu Oneiric)
Status: In Progress => Confirmed
** Changed in: translate-toolkit (Ubuntu Oneiric)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/834442
Title:
[MIR] translate-toolkit
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/translate-toolkit/+bug/834442/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
