Author: ubernostrum
Date: 2006-08-16 01:29:22 -0500 (Wed, 16 Aug 2006)
New Revision: 3594
Modified:
django/branches/0.90-bugfixes/django/bin/compile-messages.py
Log:
0.90-fixes: Fixed minor security hole in compile-messages.py. See trunk patch
in [3592]
Modified: django/branches/0.90-bugfixes/django/bin/compile-messages.py
===================================================================
--- django/branches/0.90-bugfixes/django/bin/compile-messages.py
2006-08-16 06:28:59 UTC (rev 3593)
+++ django/branches/0.90-bugfixes/django/bin/compile-messages.py
2006-08-16 06:29:22 UTC (rev 3594)
@@ -19,6 +19,13 @@
if file.endswith('.po'):
sys.stderr.write('processing file %s in %s\n' % (file, dirpath))
pf = os.path.splitext(os.path.join(dirpath, file))[0]
- cmd = 'msgfmt -o %s.mo %s.po' % (pf, pf)
+ # Store the names of the .mo and .po files in an environment
+ # variable, rather than doing a string replacement into the
+ # command, so that we can take advantage of shell quoting, to
+ # quote any malicious characters/escaping.
+ # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+ os.environ['djangocompilemo'] = pf + '.mo'
+ os.environ['djangocompilepo'] = pf + '.po'
+ cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
os.system(cmd)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates
-~----------~----~----~----~------~----~------~--~---
