On Wednesday 02 May 2007, Peter Stephenson wrote: > Daniel Qarras <dqarras@xxxxxxxxx> wrote: > > > Only thing missing being support for echo $"Starting foo:" style > > messages (used to localizate the message) but that's not much of a > > problem. > > I don't even know how that works; it doesn't appear to be excessively > well documented. > Also documentation for gettext rather advices against using it and suggests using explicit gettext & Co. calls instead: The security holes of `$"..."' come from the fact that after looking up the translation of the string, `bash' processes it like it processes any double-quoted string: dollar and backquote processing, like `eval' does. With obvious implications. Of course one possibility could be to make result fully quoted and immune to any further processing. OTOH it probably still breaks in nested evals.
Description: PGP signature