[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-bash] make function local

From: Greg Wooledge
Subject: Re: [Help-bash] make function local
Date: Mon, 13 Apr 2015 08:33:23 -0400
User-agent: Mutt/

On Sat, Apr 11, 2015 at 01:27:53PM -0400, Chet Ramey wrote:
> On 4/10/15 11:09 AM, Greg Wooledge wrote:
> > - Fix the $"..." security hole (I tried and failed).
> >   http://www.gnu.org/software/gettext/manual/html_node/bash.html
> Yeah, I didn't like the all-or-nothing choice the patch implemented.  If
> command substitution is the problem, a better approach would have been to
> inhibit command substitution instead of every word expansion.  That's just
> not easy to do at the point where locale transformation gets done -- it
> requires processing the translated string to insert some kind of quoting.

I'm skeptical about any substitutions being performed in a translated
string.  While I don't have real-life experience writing localized
shell scripts, I would *think* the correct way to put variables in a
translated string is:

printf $"Hello, %s.  Welcome to %s." "$LOGNAME" "$HOSTNAME"

As the script writer, I would want some guarantee that the translated
string won't undergo any substitutions at all (especially not command
substitutions, but even something like $1 in the translation, expanded to
whatever garbage is in the positional parameters, would make the output
appear wrong).  But then I suppose I would also want some guarantee
that the translated string won't contain any extra % or \ characters
for printf to trip over.  That may be outside of bash's scope.

It's a messy problem.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]