gettext: bash

1 
1 15.5.3 bash - Bourne-Again Shell Script
1 ---------------------------------------
1 
1    GNU ‘bash’ 2.0 or newer has a special shorthand for translating a
1 string and substituting variable values in it: ‘$"msgid"’.  But the use
1 of this construct is *discouraged*, due to the security holes it opens
1 and due to its portability problems.
1 
1    The security holes of ‘$"..."’ come from the fact that after looking
1 up the translation of the string, ‘bash’ processes it like it processes
1 any double-quoted string: dollar and backquote processing, like ‘eval’
1 does.
1 
1   1. In a locale whose encoding is one of BIG5, BIG5-HKSCS, GBK,
1      GB18030, SHIFT_JIS, JOHAB, some double-byte characters have a
1      second byte whose value is ‘0x60’.  For example, the byte sequence
1      ‘\xe0\x60’ is a single character in these locales.  Many versions
1      of ‘bash’ (all versions up to bash-2.05, and newer versions on
1      platforms without ‘mbsrtowcs()’ function) don’t know about
1      character boundaries and see a backquote character where there is
1      only a particular Chinese character.  Thus it can start executing
1      part of the translation as a command list.  This situation can
1      occur even without the translator being aware of it: if the
1      translator provides translations in the UTF-8 encoding, it is the
1      ‘gettext()’ function which will, during its conversion from the
1      translator’s encoding to the user’s locale’s encoding, produce the
1      dangerous ‘\x60’ bytes.
1 
1   2. A translator could - voluntarily or inadvertently - use backquotes
1      ‘"`...`"’ or dollar-parentheses ‘"$(...)"’ in her translations.
1      The enclosed strings would be executed as command lists by the
1      shell.
1 
1    The portability problem is that ‘bash’ must be built with
1 internationalization support; this is normally not the case on systems
1 that don’t have the ‘gettext()’ function in libc.
1