( bash

Info Catalog ( sh ( List of Programming Languages ( Python
 15.5.3 bash - Bourne-Again Shell Script
 GNU `bash' 2.0 or newer has a special shorthand for translating a
 string and substituting variable values in it: `$"msgid"'.  But the use
 of this construct is *discouraged*, due to the security holes it opens
 and due to its portability problems.
    The security holes of `$"..."' come from the fact that after looking
 up the translation of the string, `bash' processes it like it processes
 any double-quoted string: dollar and backquote processing, like `eval'
   1. In a locale whose encoding is one of BIG5, BIG5-HKSCS, GBK,
      GB18030, SHIFT_JIS, JOHAB, some double-byte characters have a
      second byte whose value is `0x60'.  For example, the byte sequence
      `\xe0\x60' is a single character in these locales.  Many versions
      of `bash' (all versions up to bash-2.05, and newer versions on
      platforms without `mbsrtowcs()' function) don't know about
      character boundaries and see a backquote character where there is
      only a particular Chinese character.  Thus it can start executing
      part of the translation as a command list.  This situation can
      occur even without the translator being aware of it: if the
      translator provides translations in the UTF-8 encoding, it is the
      `gettext()' function which will, during its conversion from the
      translator's encoding to the user's locale's encoding, produce the
      dangerous `\x60' bytes.
   2. A translator could - voluntarily or inadvertently - use backquotes
      `"`...`"' or dollar-parentheses `"$(...)"' in her translations.
      The enclosed strings would be executed as command lists by the
    The portability problem is that `bash' must be built with
 internationalization support; this is normally not the case on systems
 that don't have the `gettext()' function in libc.
Info Catalog ( sh ( List of Programming Languages ( Python
automatically generated byinfo2html