From a132d411c6986418ee6c0edc331080aa792fee6e Mon Sep 17 00:00:00 2001 From: James Bennett Date: Sat, 20 Jan 2007 02:02:07 +0000 Subject: [PATCH] 0.95-bugfixes: Apply security fix from [3592] and Windows compatibility for same from [3672] git-svn-id: http://code.djangoproject.com/svn/django/branches/0.95-bugfixes@4360 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/bin/compile-messages.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/django/bin/compile-messages.py b/django/bin/compile-messages.py index 5f653df95d..f04bcea1a1 100755 --- a/django/bin/compile-messages.py +++ b/django/bin/compile-messages.py @@ -19,7 +19,17 @@ def compile_messages(): if f.endswith('.po'): sys.stderr.write('processing file %s in %s\n' % (f, dirpath)) pf = os.path.splitext(os.path.join(dirpath, f))[0] - cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf) + # Store the names of the .mo and .po files in an environment + # variable, rather than doing a string replacement into the + # command, so that we can take advantage of shell quoting, to + # quote any malicious characters/escaping. + # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html + os.environ['djangocompilemo'] = pf + '.mo' + os.environ['djangocompilepo'] = pf + '.po' + if sys.platform == 'win32': # Different shell-variable syntax + cmd = 'msgfmt -o "%djangocompilemo%" "%djangocompilepo%"' + else: + cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"' os.system(cmd) if __name__ == "__main__":