Overview
CVE-2007-0404 describes an improper handling vulnerability in Django 0.95 where bin/compile-messages.py builds and executes a shell command to run the msgfmt program via os.system without properly quoting arguments. This allowed an attacker to trigger command execution by crafting translation files (.po or .mo) that inject shell metacharacters. The impact could be remote code execution on the server during translation processing, or at least arbitrary shell commands depending on the environment and permissions. The vulnerability was fixed by changing how arguments are passed to the external tool and by avoiding shell interpretation altogether. This pattern is a classic example of improper inventory management of input data used in system calls in Django’s translation workflow.
Affected Versions
Django 0.95 (and earlier)
Code Fix Example
Django API Security Remediation
# Vulnerable pattern (os.system with unquoted input)
import os
def compile_messages_vulnerable(po_path, out_path):
# Vulnerable: builds a shell command with unsafely concatenated paths
cmd = "msgfmt -o {} {}".format(out_path, po_path)
os.system(cmd)
# Fixed pattern (use subprocess with a list, no shell)
import subprocess
def compile_messages_safe(po_path, out_path):
# Safe: pass arguments directly to the executable without invoking a shell
subprocess.check_call(["msgfmt", "-o", out_path, po_path])
# Example usage (do not run vulnerable version in production):
if __name__ == "__main__":
po = "/path/to/translations/messages.po"
mo = "/path/to/translations/messages.mo"
# compile_messages_vulnerable(po, mo) # Unsafe: for demonstration only
compile_messages_safe(po, mo) # Safe: recommended