Skip to content

Commit 518d406

Browse files
Fixed small security hole in bin/compile-messages.py by escaping the .po filename in os.system() call. Announcement forthcoming
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3592 bcc190cf-cafb-0310-a4f2-bffc1f526a37
1 parent 7c79f2a commit 518d406

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

Diff for: django/bin/compile-messages.py

+8-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,14 @@ def compile_messages():
1919
if f.endswith('.po'):
2020
sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
2121
pf = os.path.splitext(os.path.join(dirpath, f))[0]
22-
cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
22+
# Store the names of the .mo and .po files in an environment
23+
# variable, rather than doing a string replacement into the
24+
# command, so that we can take advantage of shell quoting, to
25+
# quote any malicious characters/escaping.
26+
# See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
27+
os.environ['djangocompilemo'] = pf + '.mo'
28+
os.environ['djangocompilepo'] = pf + '.po'
29+
cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
2330
os.system(cmd)
2431

2532
if __name__ == "__main__":

0 commit comments

Comments
 (0)