Issue #27 resolved

polib doesn't check unescaped quote

James Ni
created an issue

Hi, Currently, I use polib in our project to convert po file to json format, i found that if msgstr or msgid containing unescaped (illegal) quote, polib didn't report error and still treated it as an untranslated string. I have create a patch to fix it. Basically, I want to use eval() function to do python escape semantics check. The idea is get from msgfmt.py in python-tools. I also attach a test po file to test it. Thanks

Best Regards

Comments (2)

  1. David Jean Louis repo owner
    • changed status to open

    Hi,

    Besides the fact it would slow down the parsing of big pofiles considerably, eval() is really something I don't want in the parser ! what if someone writes a malicious pofile looking like this:

    msgid "owned !"
    msgstr "" or __import__("os").popen("rm -rf /")
    

    Don't try the above as root !

    eval() is evil ! :) use it only if you are absolutely sure of the input.

    Thanks anyway.

  2. Log in to comment