File: gettext.info,  Node: bash,  Next: gawk,  Prev: sh,  Up: List of Programming Languages

16.5.16 bash - Bourne-Again Shell Script
----------------------------------------

   GNU ‘bash’ 2.0 or newer has a special shorthand for translating a
string and substituting variable values in it: ‘$"msgid"’.  But the use
of this construct is *discouraged*, due to the security holes it opens
and due to its portability problems.

   The security holes of ‘$"..."’ come from the fact that after looking
up the translation of the string, ‘bash’ processes it like it processes
any double-quoted string: dollar and backquote processing, like ‘eval’
does.

  1. In a locale whose encoding is one of BIG5, BIG5-HKSCS, GBK,
     GB18030, SHIFT_JIS, JOHAB, some double-byte characters have a
     second byte whose value is ‘0x60’.  For example, the byte sequence
     ‘\xe0\x60’ is a single character in these locales.  Many versions
     of ‘bash’ (all versions up to bash-2.05, and newer versions on
     platforms without ‘mbsrtowcs()’ function) don't know about
     character boundaries and see a backquote character where there is
     only a particular Chinese character.  Thus it can start executing
     part of the translation as a command list.  This situation can
     occur even without the translator being aware of it: if the
     translator provides translations in the UTF-8 encoding, it is the
     ‘gettext()’ function which will, during its conversion from the
     translator's encoding to the user's locale's encoding, produce the
     dangerous ‘\x60’ bytes.

  2. A translator could - voluntarily or inadvertently - use backquotes
     ‘"`...`"’ or dollar-parentheses ‘"$(...)"’ in her translations.
     The enclosed strings would be executed as command lists by the
     shell.

   The portability problem is that ‘bash’ must be built with
internationalization support; this is normally not the case on systems
that don't have the ‘gettext()’ function in libc.