[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to use $"msgid"?
From: |
Jesse Hathaway |
Subject: |
Re: How to use $"msgid"? |
Date: |
Tue, 23 Mar 2021 22:17:08 -0500 |
On Tue, Mar 23, 2021 at 6:00 PM Peng Yu <pengyu.ut@gmail.com> wrote:
>
> > There's also <https://mywiki.wooledge.org/BashFAQ/098>. Take note of
> > the security warnings.
>
> I don't get it to work. Could you let me know what is wrong? For the
> security problem, could you show a working example demonstrating why
> it is not secure? Thanks.
based on my working example here is the security issue:
$ cat <<EOF > hello.pot
> #: hello.sh:5
> msgid "Hello, world"
> msgstr "Hola Mundo $(uname)"
> EOF
$ msgfmt -o ~+/locale/es_ES/LC_MESSAGES/hello.mo hello.pot
$ bash hello.sh
Hola Mundo Linux
i.e. bash substitutes the translation then performs double quoted
string expansions, so if the translator has injected bash code, such
as a command substitution into the translated message, it will be
executed.