Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed small security hole in bin/compile-messages.py by escaping the …

….po filename in os.system() call. Announcement forthcoming

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3592 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 518d406e53a7417385a1a2e10bb5110b67d28fac 1 parent 7c79f2a
Adrian Holovaty adrianholovaty authored
Showing with 8 additions and 1 deletion.
  1. +8 −1 django/bin/compile-messages.py
9 django/bin/compile-messages.py
View
@@ -19,7 +19,14 @@ def compile_messages():
if f.endswith('.po'):
sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
pf = os.path.splitext(os.path.join(dirpath, f))[0]
- cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
+ # Store the names of the .mo and .po files in an environment
+ # variable, rather than doing a string replacement into the
+ # command, so that we can take advantage of shell quoting, to
+ # quote any malicious characters/escaping.
+ # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+ os.environ['djangocompilemo'] = pf + '.mo'
+ os.environ['djangocompilepo'] = pf + '.po'
+ cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
os.system(cmd)
if __name__ == "__main__":
Please sign in to comment.
Something went wrong with that request. Please try again.