Last Thursday (talking about Rails) I said:

The time will come when each of the other frameworks will be found to have critical security flaws as well.

The only question is… how will they handle it when it happens?

Well, it happened sooner than I thought. Tonight Andrian announced on the Django weblog that a “small security hole” has been fixed in Django’s translation helper utility.

Quoth Adrian:

The Django team discovered and fixed a small security hole in the django/bin/compile-messages.py helper script, which is the script that compiles language translation message files (.po files) into binary format (.mo files).

The compile-messages.py script uses the name of the .po file to build arguments to a system command, and it didn’t sufficiently validate the filename for potentially malicious content.

According to the post, “No exploit based on this vulnerability, proof-of-concept or otherwise, is known to have existed.”

The security notice appears to be full disclosure, with a rather detailed explanation of exactly what the problem was and how it has been fixed. I’m assuming time from discovery to fix was short, but that’s not specifically mentioned.

All things considered, it looks like they handled this one pretty well.

This entry was posted on Wednesday, August 16th, 2006 at 11:53 pm and is filed under Django, Python. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.