Fixed #21345: Don't evaluate callable settings in the debug page.

Thanks to crass for the report.
2013-10-29 23:06:59 +01:00 · 2013-10-29 23:06:59 +01:00 · 3c5cdaf47a
parent 8f73559823
commit 3c5cdaf47a
2 changed files with 14 additions and 0 deletions
--- a/django/views/debug.py
+++ b/django/views/debug.py
@ -46,6 +46,10 @@ def cleanse_setting(key, value):
    except TypeError:
        # If the key isn't regex-able, just return as-is.
        cleansed = value
+
+    if callable(cleansed):
+        cleansed.do_not_call_in_templates = True
+
    return cleansed

 def get_safe_settings():
--- a/tests/view_tests/tests/test_debug.py
+++ b/tests/view_tests/tests/test_debug.py
@ -586,6 +586,16 @@ class ExceptionReporterFilterTests(TestCase, ExceptionReportTestMixin):
            self.verify_safe_response(sensitive_kwargs_function_caller, check_for_POST_params=False)
            self.verify_safe_email(sensitive_kwargs_function_caller, check_for_POST_params=False)

+    def test_callable_settings(self):
+        """
+        Callable settings should not be evaluated in the debug page (#21345).
+        """
+        def callable_setting():
+            return "This should not be displayed"
+        with self.settings(DEBUG=True, FOOBAR=callable_setting):
+            response = self.client.get('/views/raises500/')
+            self.assertNotContains(response, "This should not be displayed", status_code=500)
+

 class AjaxResponseExceptionReporterFilter(TestCase, ExceptionReportTestMixin):
    """