From 6eefa521be3c658dc0b38f8d62d52e9801e198ab Mon Sep 17 00:00:00 2001
From: James Bennett <ubernostrum@gmail.com>
Date: Wed, 16 Aug 2006 06:29:22 +0000
Subject: [PATCH] 0.90-fixes: Fixed minor security hole in compile-messages.py.
 See trunk patch in [3592]

git-svn-id: http://code.djangoproject.com/svn/django/branches/0.90-bugfixes@3594 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/bin/compile-messages.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/django/bin/compile-messages.py b/django/bin/compile-messages.py
index 0b5127f6b2..79d5ff17b2 100755
--- a/django/bin/compile-messages.py
+++ b/django/bin/compile-messages.py
@@ -19,6 +19,13 @@ for (dirpath, dirnames, filenames) in os.walk(basedir):
         if file.endswith('.po'):
             sys.stderr.write('processing file %s in %s\n' % (file, dirpath))
             pf = os.path.splitext(os.path.join(dirpath, file))[0]
-            cmd = 'msgfmt -o %s.mo %s.po' % (pf, pf)
+            # Store the names of the .mo and .po files in an environment
+            # variable, rather than doing a string replacement into the
+            # command, so that we can take advantage of shell quoting, to
+            # quote any malicious characters/escaping.
+            # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+            os.environ['djangocompilemo'] = pf + '.mo'
+            os.environ['djangocompilepo'] = pf + '.po'
+            cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
             os.system(cmd)