Author: adrian
Date: 2006-08-16 01:28:13 -0500 (Wed, 16 Aug 2006)
New Revision: 3592
Modified:
django/trunk/django/bin/compile-messages.py
Log:
Fixed small security hole in bin/compile-messages.py by escaping the .po
filename in os.system() call. Announcement forthcoming
Modified: django/trunk/django/bin/compile-messages.py
===================================================================
--- django/trunk/django/bin/compile-messages.py 2006-08-16 05:43:27 UTC (rev
3591)
+++ django/trunk/django/bin/compile-messages.py 2006-08-16 06:28:13 UTC (rev
3592)
@@ -19,7 +19,14 @@
if f.endswith('.po'):
sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
pf = os.path.splitext(os.path.join(dirpath, f))[0]
- cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
+ # Store the names of the .mo and .po files in an environment
+ # variable, rather than doing a string replacement into the
+ # command, so that we can take advantage of shell quoting, to
+ # quote any malicious characters/escaping.
+ # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+ os.environ['djangocompilemo'] = pf + '.mo'
+ os.environ['djangocompilepo'] = pf + '.po'
+ cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
os.system(cmd)
if __name__ == "__main__":
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates
-~----------~----~----~----~------~----~------~--~---
