On Sat, Apr 11, 2015 at 01:27:53PM -0400, Chet Ramey wrote: > On 4/10/15 11:09 AM, Greg Wooledge wrote: > > - Fix the $"..." security hole (I tried and failed). > > http://www.gnu.org/software/gettext/manual/html_node/bash.html > > Yeah, I didn't like the all-or-nothing choice the patch implemented. If > command substitution is the problem, a better approach would have been to > inhibit command substitution instead of every word expansion. That's just > not easy to do at the point where locale transformation gets done -- it > requires processing the translated string to insert some kind of quoting.
I'm skeptical about any substitutions being performed in a translated string. While I don't have real-life experience writing localized shell scripts, I would *think* the correct way to put variables in a translated string is: printf $"Hello, %s. Welcome to %s." "$LOGNAME" "$HOSTNAME" As the script writer, I would want some guarantee that the translated string won't undergo any substitutions at all (especially not command substitutions, but even something like $1 in the translation, expanded to whatever garbage is in the positional parameters, would make the output appear wrong). But then I suppose I would also want some guarantee that the translated string won't contain any extra % or \ characters for printf to trip over. That may be outside of bash's scope. It's a messy problem.
