diff options
| author | Ramiro Morales <cramm0@gmail.com> | 2013-02-12 13:58:49 -0300 |
|---|---|---|
| committer | Ramiro Morales <cramm0@gmail.com> | 2013-02-26 21:31:53 -0300 |
| commit | dfa9324966ce1a38346d15e35805d042848aabf1 (patch) | |
| tree | fbdc4f167056a84a1c6d38bf0a4ea7c5ab8cb145 /django/core/management/commands/compilemessages.py | |
| parent | 5c51d71f9ae40f002530d9f4f2f477abaa76d78d (diff) | |
Don't use os.system() in compilemessages.
Fixes #19584.
This implies stop storing file path command line arguments in envvars as
a security measure to start relying on with Popen's shell=False instead,
and addition of an 'utils' module.
Thanks kmichel_wgs for the report.
Diffstat (limited to 'django/core/management/commands/compilemessages.py')
| -rw-r--r-- | django/core/management/commands/compilemessages.py | 24 |
1 files changed, 11 insertions, 13 deletions
diff --git a/django/core/management/commands/compilemessages.py b/django/core/management/commands/compilemessages.py index 8f2c1ff771..2ca42d1c63 100644 --- a/django/core/management/commands/compilemessages.py +++ b/django/core/management/commands/compilemessages.py @@ -2,9 +2,10 @@ from __future__ import unicode_literals import codecs import os -import sys from optparse import make_option + from django.core.management.base import BaseCommand, CommandError +from django.core.management.utils import popen_wrapper from django.utils._os import npath def has_bom(fn): @@ -41,18 +42,15 @@ def compile_messages(stderr, locale=None): if has_bom(fn): raise CommandError("The %s file has a BOM (Byte Order Mark). Django only supports .po files encoded in UTF-8 and without any BOM." % fn) pf = os.path.splitext(fn)[0] - # Store the names of the .mo and .po files in an environment - # variable, rather than doing a string replacement into the - # command, so that we can take advantage of shell quoting, to - # quote any malicious characters/escaping. - # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html - os.environ['djangocompilemo'] = npath(pf + '.mo') - os.environ['djangocompilepo'] = npath(pf + '.po') - if sys.platform == 'win32': # Different shell-variable syntax - cmd = 'msgfmt --check-format -o "%djangocompilemo%" "%djangocompilepo%"' - else: - cmd = 'msgfmt --check-format -o "$djangocompilemo" "$djangocompilepo"' - os.system(cmd) + program = 'msgfmt' + args = [program, '--check-format', '-o', npath(pf + '.mo'), npath(pf + '.po')] + output, errors, status = popen_wrapper(args) + if status: + if errors: + msg = "Execution of %s failed: %s" % (program, errors) + else: + msg = "Execution of %s failed" % program + raise CommandError(msg) class Command(BaseCommand): |