Broken Object Property Level Authorization in Django [CVE-2007-0404]

CVE-2007-0404 describes a command-injection risk in Django 0.95 where bin/compile-messages.py invoked the external msgfmt tool via os.system without properly quoting its arguments. This allowed an attacker to execute arbitrary commands by injecting shell metacharacters into the contents of a (1) .po or (2) .mo translation file. In practice, untrusted translation content could flow into the shell invocation, giving an attacker control over the host. This highlights a class of runtime risks where untrusted object content is processed by external utilities, effectively turning content handling into an object-level operation with privileged consequences if not properly constrained. Exploitation from this CVE hinged on leveraging unsafely constructed command lines. An attacker who could influence translation assets-such as by uploading or editing .po/.mo files in a deployment-could place malicious strings that, when passed to the shell, triggered arbitrary command execution. The root cause was not an authorization check in the Django view itself, but the unsafe interaction between untrusted object content (the translation payload) and an external shell call. The fix for this class of vulnerability is to stop invoking external commands with untrusted inputs and to prefer safe API boundaries. In real Django code, this means upgrading to patched releases that remove shell-invoking patterns, and refactoring code to use subprocess with argument lists (not shell=True and not string-constructed commands). It also includes validating and constraining inputs, and leveraging Django’s own translation tooling through safe interfaces rather than ad-hoc shell invocations. These steps mitigate both the specific CVE-2007-0404 risk and similar patterns where object-delivered content can influence system commands. From a security abstraction standpoint, this vulnerability illustrates how “Broken Object Property Level Authorization” concepts can be misapplied when object content (a translation file) interacts with external tools. While not a canonical object-permission flaw, the underlying risk arises when content owned by an object model is used in a way that affects system state outside the application’s normal authorization checks. The remediation below maps directly to Django practices: upgrade, avoid os.system, and adopt safe subprocess usage paired with input validation and safer translation workflows.