Overview
The CVE-2007-0404 issue concerns Django 0.95's bin/compile-messages.py invoking the external message formatter (msgfmt) via os.system without quoting its arguments. This allowed an attacker to influence the shell by placing crafted content in translation files (.po or .mo), potentially executing arbitrary commands on the server. In practice, an attacker could embed shell metacharacters in translation strings or paths, causing the shell to run unintended commands when Django attempted to compile translations. The vulnerability demonstrates how untrusted input passed to shell-enabled APIs can lead to remote code execution in a web application framework. A patch was published to address this by eliminating unsafe shell usage and quoting concerns.
Exploitation happened when compile-messages.py built a shell command from translation file paths and invoked os.system; untrusted input from .po/.mo files could inject commands such as semicolons or backticks. An attacker who controls translation content or can place files in the locale tree could trigger arbitrary command execution during translation compilation. This class of vulnerability highlights the risk of constructing shell commands from user- or file-provided data.
The remediation pattern is to stop using os.system with untrusted input and instead call external tools with a safe API that passes arguments as separate parameters, avoiding the shell. In Django code, this means adopting subprocess with a list of arguments (no shell) and validating translation file paths. The provided codeFixExample shows a vulnerable pattern and its secure replacement. Beyond code changes, upgrading Django to a patched version, reviewing other uses of shell-invoking functions, and adding tests to guard translation processing against injection further reduce risk.
As a broader practice, keep Django up to date with security patches, audit command execution surfaces in your codebase, and implement tests that simulate malicious translation content to ensure the shell is never invoked with interpolated input from translations.
Affected Versions
Django 0.95 (vulnerable); patched in subsequent revisions after CVE-2007-0404 (exact fixed version not specified in the CVE).
Code Fix Example
Django API Security Remediation
Vulnerable:
import os
def compile_message_vuln(po_path, mo_path):
# Vulnerable: constructs a shell command from untrusted input
cmd = "msgfmt %s -o %s" % (po_path, mo_path)
os.system(cmd)
Fixed:
import subprocess
def compile_message_safe(po_path, mo_path):
# Safe: pass arguments as a list; no shell involvement
subprocess.check_call(["msgfmt", po_path, "-o", mo_path], shell=False)