• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1@c This file is part of the GNU gettext manual.
2@c Copyright (C) 1995-2020 Free Software Foundation, Inc.
3@c See the file gettext.texi for copying conditions.
4
5@node bash
6@subsection bash - Bourne-Again Shell Script
7@cindex bash
8
9GNU @code{bash} 2.0 or newer has a special shorthand for translating a
10string and substituting variable values in it: @code{$"msgid"}.  But
11the use of this construct is @strong{discouraged}, due to the security
12holes it opens and due to its portability problems.
13
14The security holes of @code{$"..."} come from the fact that after looking up
15the translation of the string, @code{bash} processes it like it processes
16any double-quoted string: dollar and backquote processing, like @samp{eval}
17does.
18
19@enumerate
20@item
21In a locale whose encoding is one of BIG5, BIG5-HKSCS, GBK, GB18030, SHIFT_JIS,
22JOHAB, some double-byte characters have a second byte whose value is
23@code{0x60}.  For example, the byte sequence @code{\xe0\x60} is a single
24character in these locales.  Many versions of @code{bash} (all versions
25up to bash-2.05, and newer versions on platforms without @code{mbsrtowcs()}
26function) don't know about character boundaries and see a backquote character
27where there is only a particular Chinese character.  Thus it can start
28executing part of the translation as a command list.  This situation can occur
29even without the translator being aware of it: if the translator provides
30translations in the UTF-8 encoding, it is the @code{gettext()} function which
31will, during its conversion from the translator's encoding to the user's
32locale's encoding, produce the dangerous @code{\x60} bytes.
33
34@item
35A translator could - voluntarily or inadvertently - use backquotes
36@code{"`...`"} or dollar-parentheses @code{"$(...)"} in her translations.
37The enclosed strings would be executed as command lists by the shell.
38@end enumerate
39
40The portability problem is that @code{bash} must be built with
41internationalization support; this is normally not the case on systems
42that don't have the @code{gettext()} function in libc.
43