High severityNVD Advisory· Published Jan 23, 2007· Updated Apr 23, 2026

CVE-2007-0404

Description

bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
DjangoPyPI	>= 0.95, < 1.0	1.0

Affected products

Djangoproject/Django
cpe:2.3:a:django_project:django:0.95:*:*:*:*:*:*:*

Patches

a132d411c698

0.95-bugfixes: Apply security fix from [3592] and Windows compatibility for same from [3672]

https://github.com/django/djangoJames BennettJan 20, 2007via ghsa

commit

1 file changed · +11 −1

django/bin/compile-messages.py+11 −1 modified

@@ -19,7 +19,17 @@ def compile_messages():
             if f.endswith('.po'):
                 sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
                 pf = os.path.splitext(os.path.join(dirpath, f))[0]
-                cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
+                # Store the names of the .mo and .po files in an environment
+                # variable, rather than doing a string replacement into the
+                # command, so that we can take advantage of shell quoting, to
+                # quote any malicious characters/escaping.
+                # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+                os.environ['djangocompilemo'] = pf + '.mo'
+                os.environ['djangocompilepo'] = pf + '.po'
+                if sys.platform == 'win32': # Different shell-variable syntax
+                    cmd = 'msgfmt -o "%djangocompilemo%" "%djangocompilepo%"'
+                else:
+                    cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"' 
                 os.system(cmd)
 
 if __name__ == "__main__":

518d406e53

Fixed small security hole in bin/compile-messages.py by escaping the .po filename in os.system() call. Announcement forthcoming

https://github.com/django/djangoAdrian HolovatyAug 16, 2006via ghsa

commit

1 file changed · +8 −1

django/bin/compile-messages.py+8 −1 modified

@@ -19,7 +19,14 @@ def compile_messages():
             if f.endswith('.po'):
                 sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
                 pf = os.path.splitext(os.path.join(dirpath, f))[0]
-                cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
+                # Store the names of the .mo and .po files in an environment
+                # variable, rather than doing a string replacement into the
+                # command, so that we can take advantage of shell quoting, to
+                # quote any malicious characters/escaping.
+                # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+                os.environ['djangocompilemo'] = pf + '.mo'
+                os.environ['djangocompilepo'] = pf + '.po'
+                cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
                 os.system(cmd)
 
 if __name__ == "__main__":

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

secunia.com/advisories/23826nvdPatchVendor Advisory
github.com/advisories/GHSA-qc99-g3wm-hgxrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2007-0404ghsaADVISORY
code.djangoproject.com/changeset/3592nvdWEB
bugs.debian.org/cgi-bin/bugreport.cgighsaWEB
exchange.xforce.ibmcloud.com/vulnerabilities/31627nvdWEB
github.com/django/django/commit/518d406e53ghsaWEB
github.com/django/django/commit/a132d411c6986418ee6c0edc331080aa792fee6eghsaWEB
www.securityfocus.com/bid/22134nvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000