On 4/13/15 8:33 AM, Greg Wooledge wrote:
> On Sat, Apr 11, 2015 at 01:27:53PM -0400, Chet Ramey wrote:
>> On 4/10/15 11:09 AM, Greg Wooledge wrote:
>>> - Fix the $"..." security hole (I tried and failed).
>>> http://www.gnu.org/software/gettext/manual/html_node/bash.html
>>
>> Yeah, I didn't like the all-or-nothing choice the patch implemented. If
>> command substitution is the problem, a better approach would have been to
>> inhibit command substitution instead of every word expansion. That's just
>> not easy to do at the point where locale transformation gets done -- it
>> requires processing the translated string to insert some kind of quoting.
>
> I'm skeptical about any substitutions being performed in a translated
> string. While I don't have real-life experience writing localized
> shell scripts, I would *think* the correct way to put variables in a
> translated string is:
>
> printf $"Hello, %s. Welcome to %s." "$LOGNAME" "$HOSTNAME"
Maybe, but your original post on the subject contained this sentence:
But people I've talked with said there were using
$"foo $bar" in practice, so this definitely affects them.
so the problem is real regardless of our skepticism.
>
> As the script writer, I would want some guarantee that the translated
> string won't undergo any substitutions at all (especially not command
> substitutions, but even something like $1 in the translation, expanded to
> whatever garbage is in the positional parameters, would make the output
> appear wrong).
Unless you want the substitution to take place.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
