31

I want to use printf to print a variable. It might be possible that this variable contains a % percent sign.

Minimal example:

$ TEST="contains % percent"
$ echo "${TEST}"
contains % percent
$ printf "${TEST}\n"
bash: printf: `p': invalid format character
contains $

(echo provides the desired output.)

finefoot
  • 2,940
  • 2
  • 21
  • 41

3 Answers3

48

Use printf in its normal form:

printf '%s\n' "${TEST}"

From man printf:

SYNOPSIS
printf FORMAT [ARGUMENT]...

You should never pass a variable to the FORMAT string as it may lead to errors and security vulnerabilities.

Btw:

if you want to have % sign as part of the FORMAT, you need to enter %%, e.g.:

$ printf '%d%%\n' 100
100%
pLumo
  • 22,231
  • 2
  • 41
  • 66
  • 2
    Do you really need `"${TEST}"`, can't it be `"$TEST"`? – Ferrybig May 16 '19 at 17:15
  • 1
    `"$TEST"` is enough. – pLumo May 16 '19 at 17:41
  • 2
    +1. But it's not just 'normal', it's necessary. Passing a variable to printf's first parameter is Christmas to hackers. Never do it. That is part of secure software dev 101. – Jeffrey May 16 '19 at 21:24
  • @Jeffrey Most of the potential vulnerabilities in printf are only applicable to the C function. There aren't as many evil things you can do by passing a bad format string to `/usr/bin/printf` (or the equivalent shell builtin). –  May 16 '19 at 21:56
  • @duskwuff you can do variable assignment using bash's `printf`, and variable assignments can lead to a lot more (e.g., shellshock in days past) – muru May 17 '19 at 01:56
  • @Jeffrey, true, my answer was not clear enough about that I think. I added a sentence to emphasize that. – pLumo May 17 '19 at 07:03
  • Why is it then allowed in the syntax to pass a variable to the format? – john-jones Mar 03 '23 at 12:15
  • The variable substitution is performed by bash, before `printf` is executed, so it cannot know of it. – pLumo Mar 03 '23 at 12:43
13

You should never put variable content in the format string given to printf. Use this instead:

printf '%s\n' "${TEST}"
Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
4

printf takes one guaranteed parameter, and then a number of additional parameters based on what you pass. So something like this:

printf '%07.2f' 5

gets turned into:

0005.00

The first parameter, called "format", is always present. If it contains no %strings, it's simply printed. Thus:

printf Hello

produces simply Hello (notably, without the trailing newline echo would add in its default mode). In expecting your example to work, you have been misled by your own previous (unknowing) abuse of this fact; because you only passed strings without %s into format, from printf's point of view, you kept asking it to output things that required no substitutions, so it pretty much functioned like echo -ne.

If you want to do this right, you probably want to start forming your printable strings with printf's builtin substitution capabilities. Lines like this appear all over my code:

printf '%20s: %6d %05d.%02d%%' "$key" $val $((val/max)) $((val*100/max%100))

If you want exactly what you're currently doing now to work, you want echo -ne, as so:

TEST="contains % percent"
echo -ne "${TEST}\n"

That preserves the (questionable) behavior of interpreting \ escapes inside the variable. It also seems a little silly to supply -n and then stick the \n back on, but I offer it because it's a global find-and-replace you can apply to everything you're current doing. A cleaner version that still keeps \ escapes working in the variable would be:

TEST="contains % percent"
echo -e "$TEST"
BMDan
  • 141
  • 3