Django

Code

Changeset 3593

Show
Ignore:
Timestamp:
08/16/06 01:28:59 (2 years ago)
Author:
ubernostrum
Message:

0.91-fixes: Fixed minor security hole in compile-messages.py. See trunk patch in [3592]

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • django/branches/0.91-bugfixes/django/bin/compile-messages.py

    r2352 r3593  
    2121                sys.stderr.write('processing file %s in %s\n' % (f, dirpath)) 
    2222                pf = os.path.splitext(os.path.join(dirpath, f))[0] 
    23                 cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf) 
     23                # Store the names of the .mo and .po files in an environment 
     24                # variable, rather than doing a string replacement into the 
     25                # command, so that we can take advantage of shell quoting, to 
     26                # quote any malicious characters/escaping. 
     27                # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html 
     28                os.environ['djangocompilemo'] = pf + '.mo' 
     29                os.environ['djangocompilepo'] = pf + '.po' 
     30                cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"' 
    2431                os.system(cmd) 
    2532