mingw/gettext/gettext-tools/doc/lang-bash.texi - kiwivm - Git at Google

 @c This file is part of the GNU gettext manual.
 @c Copyright (C) 1995-2020 Free Software Foundation, Inc.
 @c See the file gettext.texi for copying conditions.

 @node bash
 @subsection bash - Bourne-Again Shell Script
 @cindex bash

 GNU @code{bash} 2.0 or newer has a special shorthand for translating a
 string and substituting variable values in it: @code{$"msgid"}.  But
 the use of this construct is @strong{discouraged}, due to the security
 holes it opens and due to its portability problems.

 The security holes of @code{$"..."} come from the fact that after looking up
 the translation of the string, @code{bash} processes it like it processes
 any double-quoted string: dollar and backquote processing, like @samp{eval}
 does.

 @enumerate
 @item
 In a locale whose encoding is one of BIG5, BIG5-HKSCS, GBK, GB18030, SHIFT_JIS,
 JOHAB, some double-byte characters have a second byte whose value is
 @code{0x60}.  For example, the byte sequence @code{\xe0\x60} is a single
 character in these locales.  Many versions of @code{bash} (all versions
 up to bash-2.05, and newer versions on platforms without @code{mbsrtowcs()}
 function) don't know about character boundaries and see a backquote character
 where there is only a particular Chinese character.  Thus it can start
 executing part of the translation as a command list.  This situation can occur
 even without the translator being aware of it: if the translator provides
 translations in the UTF-8 encoding, it is the @code{gettext()} function which
 will, during its conversion from the translator's encoding to the user's
 locale's encoding, produce the dangerous @code{\x60} bytes.

 @item
 A translator could - voluntarily or inadvertently - use backquotes
 @code{"`...`"} or dollar-parentheses @code{"$(...)"} in her translations.
 The enclosed strings would be executed as command lists by the shell.
 @end enumerate

 The portability problem is that @code{bash} must be built with
 internationalization support; this is normally not the case on systems
 that don't have the @code{gettext()} function in libc.
	@c This file is part of the GNU gettext manual.
	@c Copyright (C) 1995-2020 Free Software Foundation, Inc.
	@c See the file gettext.texi for copying conditions.

	@node bash
	@subsection bash - Bourne-Again Shell Script
	@cindex bash

	GNU @code{bash} 2.0 or newer has a special shorthand for translating a
	string and substituting variable values in it: @code{$"msgid"}. But
	the use of this construct is @strong{discouraged}, due to the security
	holes it opens and due to its portability problems.

	The security holes of @code{$"..."} come from the fact that after looking up
	the translation of the string, @code{bash} processes it like it processes
	any double-quoted string: dollar and backquote processing, like @samp{eval}
	does.

	@enumerate
	@item
	In a locale whose encoding is one of BIG5, BIG5-HKSCS, GBK, GB18030, SHIFT_JIS,
	JOHAB, some double-byte characters have a second byte whose value is
	@code{0x60}. For example, the byte sequence @code{\xe0\x60} is a single
	character in these locales. Many versions of @code{bash} (all versions
	up to bash-2.05, and newer versions on platforms without @code{mbsrtowcs()}
	function) don't know about character boundaries and see a backquote character
	where there is only a particular Chinese character. Thus it can start
	executing part of the translation as a command list. This situation can occur
	even without the translator being aware of it: if the translator provides
	translations in the UTF-8 encoding, it is the @code{gettext()} function which
	will, during its conversion from the translator's encoding to the user's
	locale's encoding, produce the dangerous @code{\x60} bytes.

	@item
	A translator could - voluntarily or inadvertently - use backquotes
	@code{"`...`"} or dollar-parentheses @code{"$(...)"} in her translations.
	The enclosed strings would be executed as command lists by the shell.
	@end enumerate

	The portability problem is that @code{bash} must be built with
	internationalization support; this is normally not the case on systems
	that don't have the @code{gettext()} function in libc.