Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

0.95-bugfixes: Apply security fix from [3592] and Windows compatibili…

…ty for same from [3672]

git-svn-id: http://code.djangoproject.com/svn/django/branches/0.95-bugfixes@4360 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit a132d411c6986418ee6c0edc331080aa792fee6e 1 parent 69fb4ba
James Bennett authored

Showing 1 changed file with 11 additions and 1 deletion. Show diff stats Hide diff stats

  1. 12  django/bin/compile-messages.py
12  django/bin/compile-messages.py
@@ -19,7 +19,17 @@ def compile_messages():
19 19
             if f.endswith('.po'):
20 20
                 sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
21 21
                 pf = os.path.splitext(os.path.join(dirpath, f))[0]
22  
-                cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
  22
+                # Store the names of the .mo and .po files in an environment
  23
+                # variable, rather than doing a string replacement into the
  24
+                # command, so that we can take advantage of shell quoting, to
  25
+                # quote any malicious characters/escaping.
  26
+                # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
  27
+                os.environ['djangocompilemo'] = pf + '.mo'
  28
+                os.environ['djangocompilepo'] = pf + '.po'
  29
+                if sys.platform == 'win32': # Different shell-variable syntax
  30
+                    cmd = 'msgfmt -o "%djangocompilemo%" "%djangocompilepo%"'
  31
+                else:
  32
+                    cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"' 
23 33
                 os.system(cmd)
24 34
 
25 35
 if __name__ == "__main__":

0 notes on commit a132d41

Please sign in to comment.
Something went wrong with that request. Please try again.