gettext: bash
1
1 15.5.3 bash - Bourne-Again Shell Script
1 ---------------------------------------
1
1 GNU ‘bash’ 2.0 or newer has a special shorthand for translating a
1 string and substituting variable values in it: ‘$"msgid"’. But the use
1 of this construct is *discouraged*, due to the security holes it opens
1 and due to its portability problems.
1
1 The security holes of ‘$"..."’ come from the fact that after looking
1 up the translation of the string, ‘bash’ processes it like it processes
1 any double-quoted string: dollar and backquote processing, like ‘eval’
1 does.
1
1 1. In a locale whose encoding is one of BIG5, BIG5-HKSCS, GBK,
1 GB18030, SHIFT_JIS, JOHAB, some double-byte characters have a
1 second byte whose value is ‘0x60’. For example, the byte sequence
1 ‘\xe0\x60’ is a single character in these locales. Many versions
1 of ‘bash’ (all versions up to bash-2.05, and newer versions on
1 platforms without ‘mbsrtowcs()’ function) don’t know about
1 character boundaries and see a backquote character where there is
1 only a particular Chinese character. Thus it can start executing
1 part of the translation as a command list. This situation can
1 occur even without the translator being aware of it: if the
1 translator provides translations in the UTF-8 encoding, it is the
1 ‘gettext()’ function which will, during its conversion from the
1 translator’s encoding to the user’s locale’s encoding, produce the
1 dangerous ‘\x60’ bytes.
1
1 2. A translator could - voluntarily or inadvertently - use backquotes
1 ‘"`...`"’ or dollar-parentheses ‘"$(...)"’ in her translations.
1 The enclosed strings would be executed as command lists by the
1 shell.
1
1 The portability problem is that ‘bash’ must be built with
1 internationalization support; this is normally not the case on systems
1 that don’t have the ‘gettext()’ function in libc.
1