Overview
CVE-2007-0404 describes a security misconfiguration in Django 0.95 where bin/compile-messages.py constructs a shell command to invoke the msgfmt program using the contents of translation files (.po or .mo) without quoting or sanitizing the input. This design flaw allows an attacker who can place or modify translation files on the server to inject shell metacharacters into the command line, resulting in arbitrary command execution with the privileges of the Django process. The impact is severe: remote code execution, data exposure, or service disruption simply through tampered translation content. The vulnerability is rooted in how the script uses os.system to run external programs with untrusted content, a classic command-injection scenario that Django patched in later releases. The real-world risk hinges on attacker access to translation assets and the subsequent manipulation of the translation data that is then fed to a shell through an unsafe call.
Affected Versions
Django 0.95
Code Fix Example
Django API Security Remediation
import os\nimport subprocess\n\n# Vulnerable pattern: reads PO content and passes to shell through os.system\ndef compile_messages_vulnerable(po_path, mo_path):\n with open(po_path, 'r') as f:\n po_contents = f.read()\n # DO NOT DO THIS: content of PO is inserted into command line without quoting\n cmd = 'msgfmt -o %s %s' % (mo_path, po_contents)\n os.system(cmd)\n\n# Fixed pattern: use subprocess without shell, pass file paths as separate args\ndef compile_messages_safe(po_path, mo_path):\n subprocess.check_call(['msgfmt', '-o', mo_path, po_path])\n\nif __name__ == '__main__':\n # Example usage (requires msgfmt installed)\n po = 'locale/en/LC_MESSAGES/django.po'\n mo = 'locale/en/LC_MESSAGES/django.mo'\n # compile_messages_vulnerable(po, mo) # DO NOT RUN\n compile_messages_safe(po, mo)\n