innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Fixed #21345: Don't evaluate callable settings in the debug page. 

Thanks to crass for the report.
This commit is contained in:
Baptiste Mispelon 2013-10-29 23:06:59 +01:00
parent 8f73559823
commit 3c5cdaf47a
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
django/views/debug.py
View File

@ -46,6 +46,10 @@ def cleanse_setting(key, value):
except TypeError: except TypeError:
# If the key isn't regex-able, just return as-is. # If the key isn't regex-able, just return as-is.
cleansed = value cleansed = value
if callable(cleansed):
cleansed.do_not_call_in_templates = True
return cleansed return cleansed
def get_safe_settings(): def get_safe_settings():

10
tests/view_tests/tests/test_debug.py
View File

@ -586,6 +586,16 @@ class ExceptionReporterFilterTests(TestCase, ExceptionReportTestMixin):
self.verify_safe_response(sensitive_kwargs_function_caller, check_for_POST_params=False) self.verify_safe_response(sensitive_kwargs_function_caller, check_for_POST_params=False)
self.verify_safe_email(sensitive_kwargs_function_caller, check_for_POST_params=False) self.verify_safe_email(sensitive_kwargs_function_caller, check_for_POST_params=False)
def test_callable_settings(self):
"""
Callable settings should not be evaluated in the debug page (#21345).
"""
def callable_setting():
return "This should not be displayed"
with self.settings(DEBUG=True, FOOBAR=callable_setting):
response = self.client.get('/views/raises500/')
self.assertNotContains(response, "This should not be displayed", status_code=500)
class AjaxResponseExceptionReporterFilter(TestCase, ExceptionReportTestMixin): class AjaxResponseExceptionReporterFilter(TestCase, ExceptionReportTestMixin):
""" """