Overview
The CVE-2007-0404 vulnerability in Django demonstrates how a broken function-level authorization pattern can be exploited when privileged tooling shell-outs rely on untrusted data. In Django 0.95, bin/compile-messages.py invoked the msgfmt program via os.system, passing values derived from translation files (.po/.mo) directly into the command line. An attacker who could influence a translation file could inject shell metacharacters and execute arbitrary commands on the server running the Django process. This is a classic remote command execution scenario caused by unsafe command construction rather than a direct access-control flaw, but it shows how improper function-level tooling behavior can undermine security boundaries when inputs to privileged operations are not properly sanitized.
This class of risk maps to Broken Function Level Authorization in that a function or tooling path intended to run with elevated privileges can be abused if its inputs come from untrusted sources and are executed in a shell. The lack of proper input handling and the use of shell invocation means an attacker can trigger code execution through crafted translation data, effectively bypassing intended safeguards. The remediation emphasizes avoiding shell-based invocations altogether, tightening access control around privileged tooling, and validating or sandboxing inputs used in privileged operations.
To fix in real Django code, replace shell invocations with safe subprocess calls, validate or isolate inputs, and upgrade to patched versions. Avoid using os.system with concatenated strings and pass arguments as a list to subprocess.run or subprocess.call. Enforce function-level authorization for tooling and management commands that perform privileged actions, and add tests that simulate crafted translation files containing shell metacharacters to ensure no command execution occurs. Patch references indicate Django’s maintainers addressed this in later revisions; upgrading to a patched Django version reduces risk and aligns with secure translation handling.
Affected Versions
Django 0.95 (and possibly older releases) as described in CVE-2007-0404
Code Fix Example
Django API Security Remediation
Vulnerable pattern:
def compile_messages(po_path, mo_path):
import os
# vulnerable: untrusted input is interpolated into a shell command
cmd = "msgfmt %s -o %s" % (po_path, mo_path)
os.system(cmd)
Fixed pattern:
def compile_messages_secure(po_path, mo_path):
import subprocess
# safe: pass arguments as a list and do not invoke a shell
subprocess.run(["msgfmt", po_path, "-o", mo_path], check=True)