Broken Object Level Authorization in Django (CVE-2007-0404) [CVE-2007-0404]

In CVE-2007-0404, Django 0.95's bin/compile-messages.py calls the external tool msgfmt via os.system without quoting the arguments. This allows an attacker to craft a .po or .mo file containing shell metacharacters, leading to arbitrary command execution on the server. This is a classic input-handling vulnerability in tooling that processes translation assets found in Django projects. Exploitation would occur when the tooling constructs a shell command from untrusted file paths or contents and passes it to the system shell. If an attacker can influence the translation files, they can inject commands that the shell executes, potentially compromising the host, data, or other resources. While this CVE is not a classic Broken Object Level Authorization (OLA) flaw, it demonstrates how unsafe handling of inputs in Django tooling can undermine security boundaries and enable control over the execution environment. Fixing this requires removing shell-based invocation entirely where possible, or strictly validating and sanitizing inputs, and using safe APIs to perform the necessary work. In real-world Django deployments, upgrading to patched tooling and adopting secure invocation patterns prevents similar class of exploits and preserves authorization boundaries by removing untrusted command execution paths. If you must run external commands, ensure all arguments are passed as a list (no shell) and inputs are validated, so nothing from translation assets can alter behavior or execute arbitrary code.