On Mon, Feb 25, 2002 at 11:25:48PM +0100, Martin v. Loewis wrote: > That's not a vulnerability. It assumes that the translator is an > attacker, or that the attacker can change the catalogs. If he is or > can, you could not trust them, anyway, as they could cause arbitrary > other failures, as well. It means that you must audit not only your source code, but also your message catalogs, to determine whether information that is supposed to remain internal to a program is not formatted into a string. Of course, it is fairly easy to do this audit by showing that the translated string doesn't contain substitution on any identifiers that the original string did not. I don't think it's impossible that someone supplying catalogs could be an "attacker", even if a plausible scenario doesn't come directly to mind. Jeff
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4