Unrestricted Resource Consumption in Django, CVE-2007-0404 [CVE-2007-0404]

Unrestricted Resource Consumption vulnerabilities in Django can occur when a Python script invokes external commands using untrusted input. The real-world CVE-2007-0404 demonstrates this in Django 0.95: bin/compile-messages.py called the msgfmt program via os.system without quoting the arguments. Consequently, an attacker could include shell metacharacters in a crafted .po or .mo file, causing the shell to execute arbitrary commands when translations were compiled. This could lead to remote code execution and resource exhaustion through spawned processes, highlighting how untrusted translation data can impact host resources. Exploitation flow: an attacker supplies a malicious .po/.mo payload that becomes part of the command string executed by os.system. Because the command is constructed from file content without validation, the OS shell can interpret injected content, enabling arbitrary command execution or Denial of Service by multiplying spawned processes during compilation. Fix approach: stop using os.system for translation compilation and switch to a safe subprocess invocation that passes arguments as a list and does not use a shell. Validate or restrict inputs from translation files, or apply the patch to bin/compile-messages.py to replace the shell invocation. Upgrade to a patched Django release or apply the patch, then run the translation build in a controlled environment and add tests to prevent regressions and future shell-based injections.