Author: ubernostrum
Date: 2007-01-19 20:02:07 -0600 (Fri, 19 Jan 2007)
New Revision: 4360
Modified:
django/branches/0.95-bugfixes/django/bin/compile-messages.py
Log:
0.95-bugfixes: Apply security fix from [3592] and Windows compatibility for
same from [3672]
Modified: django/branches/0.95-bugfixes/django/bin/compile-messages.py
===================================================================
--- django/branches/0.95-bugfixes/django/bin/compile-messages.py
2007-01-20 01:45:08 UTC (rev 4359)
+++ django/branches/0.95-bugfixes/django/bin/compile-messages.py
2007-01-20 02:02:07 UTC (rev 4360)
@@ -19,7 +19,17 @@
if f.endswith('.po'):
sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
pf = os.path.splitext(os.path.join(dirpath, f))[0]
- cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
+ # Store the names of the .mo and .po files in an environment
+ # variable, rather than doing a string replacement into the
+ # command, so that we can take advantage of shell quoting, to
+ # quote any malicious characters/escaping.
+ # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+ os.environ['djangocompilemo'] = pf + '.mo'
+ os.environ['djangocompilepo'] = pf + '.po'
+ if sys.platform == 'win32': # Different shell-variable syntax
+ cmd = 'msgfmt -o "%djangocompilemo%" "%djangocompilepo%"'
+ else:
+ cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
os.system(cmd)
if __name__ == "__main__":
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
