From 71b5617c24bb997db294480f07611233069e3359 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Mon, 12 Aug 2013 12:41:39 -0400 Subject: [PATCH] Fixed #17778 -- Prevented class attributes on context from resolving as template variables. Thanks KyleMac for the report, regebro for the patch, and Aymeric for the test. --- django/template/base.py | 5 ++++- tests/template_tests/test_context.py | 11 ++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/django/template/base.py b/django/template/base.py index ed4196012a..382b85aefd 100644 --- a/django/template/base.py +++ b/django/template/base.py @@ -6,7 +6,7 @@ from importlib import import_module from inspect import getargspec from django.conf import settings -from django.template.context import (Context, RequestContext, +from django.template.context import (BaseContext, Context, RequestContext, ContextPopException) from django.utils.itercompat import is_iterable from django.utils.text import (smart_split, unescape_string_literal, @@ -765,6 +765,9 @@ class Variable(object): current = current[bit] except (TypeError, AttributeError, KeyError, ValueError): try: # attribute lookup + # Don't return class attributes if the class is the context: + if isinstance(current, BaseContext) and getattr(type(current), bit): + raise AttributeError current = getattr(current, bit) except (TypeError, AttributeError): try: # list-index lookup diff --git a/tests/template_tests/test_context.py b/tests/template_tests/test_context.py index ca167a73f3..7bcfb7f9f2 100644 --- a/tests/template_tests/test_context.py +++ b/tests/template_tests/test_context.py @@ -2,7 +2,7 @@ from unittest import TestCase -from django.template import Context +from django.template import Context, Variable, VariableDoesNotExist class ContextTests(TestCase): @@ -25,3 +25,12 @@ class ContextTests(TestCase): with c.push(a=3): self.assertEqual(c['a'], 3) self.assertEqual(c['a'], 1) + + def test_resolve_on_context_method(self): + # Regression test for #17778 + empty_context = Context() + self.assertRaises(VariableDoesNotExist, + Variable('no_such_variable').resolve, empty_context) + self.assertRaises(VariableDoesNotExist, + Variable('new').resolve, empty_context) + self.assertEqual(Variable('new').resolve(Context({'new': 'foo'})), 'foo')