Overview
The CVE-2007-0404 vulnerability highlights a class of Sensitive Data Exposure risks in Django where a translation build step could be abused to run arbitrary commands. In Django 0.95, bin/compile-messages.py invoked the external msgfmt utility via os.system without properly quoting arguments, creating a shell command injection vector. If an attacker could influence the content of a .po or .mo translation file used by this script, they could inject shell metacharacters and execute commands with the privileges of the process running the build. This could lead to the exposure or leakage of sensitive data, or even further compromise the host if the build or translation step runs with elevated rights.
Affected Versions
Django 0.95 (CVE-2007-0404) and earlier
Code Fix Example
Django API Security Remediation
Vulnerable:
import os
po_file = 'locales/en/LC_MESSAGES/django.po'
cmd = 'msgfmt ' + po_file
os.system(cmd)
Fixed:
import subprocess
po_file = 'locales/en/LC_MESSAGES/django.po'
# Safer: pass arguments as a list to avoid shell interpretation
subprocess.run(['msgfmt', po_file], check=True)