Fixed small security hole in bin/compile-messages.py by escaping the .po filename in os.system() call. Announcement forthcoming

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3592 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Adrian Holovaty <adrian@holovaty.com> 2006-08-16 06:28:13 +0000
committer: Adrian Holovaty <adrian@holovaty.com> 2006-08-16 06:28:13 +0000
commit: 518d406e53a7417385a1a2e10bb5110b67d28fac (patch)
tree: 8790fdcc3e31a5428acab6a93c03127a64775c5c /django/bin
parent: 7c79f2affa978c2b3a9f523eed3793fd872f686c (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/django/bin/compile-messages.py b/django/bin/compile-messages.py
index 66fdfd3e8b..07dcce7bf6 100755
--- a/django/bin/compile-messages.py
+++ b/django/bin/compile-messages.py
@@ -19,7 +19,14 @@ def compile_messages():
             if f.endswith('.po'):
                 sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
                 pf = os.path.splitext(os.path.join(dirpath, f))[0]
-                cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
+                # Store the names of the .mo and .po files in an environment
+                # variable, rather than doing a string replacement into the
+                # command, so that we can take advantage of shell quoting, to
+                # quote any malicious characters/escaping.
+                # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+                os.environ['djangocompilemo'] = pf + '.mo'
+                os.environ['djangocompilepo'] = pf + '.po'
+                cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
                 os.system(cmd)
 
 if __name__ == "__main__":
author	Adrian Holovaty <adrian@holovaty.com>	2006-08-16 06:28:13 +0000
committer	Adrian Holovaty <adrian@holovaty.com>	2006-08-16 06:28:13 +0000
commit	518d406e53a7417385a1a2e10bb5110b67d28fac (patch)
tree	8790fdcc3e31a5428acab6a93c03127a64775c5c /django/bin
parent	7c79f2affa978c2b3a9f523eed3793fd872f686c (diff)