Commit 3c5cdaf4 authored by Baptiste Mispelon's avatar Baptiste Mispelon
Browse files

Fixed #21345: Don't evaluate callable settings in the debug page. 

Thanks to crass for the report.
parent 8f735598

django/views/debug.py

+4 −0
Original line number Diff line number Diff line
@@ -46,6 +46,10 @@ def cleanse_setting(key, value): 
    except TypeError:

        # If the key isn't regex-able, just return as-is.

        cleansed = value



    if callable(cleansed):

        cleansed.do_not_call_in_templates = True



    return cleansed



def get_safe_settings():

tests/view_tests/tests/test_debug.py

+10 −0
Original line number Diff line number Diff line
@@ -586,6 +586,16 @@ class ExceptionReporterFilterTests(TestCase, ExceptionReportTestMixin): 
            self.verify_safe_response(sensitive_kwargs_function_caller, check_for_POST_params=False)

            self.verify_safe_email(sensitive_kwargs_function_caller, check_for_POST_params=False)



    def test_callable_settings(self):

        """

        Callable settings should not be evaluated in the debug page (#21345).

        """

        def callable_setting():

            return "This should not be displayed"

        with self.settings(DEBUG=True, FOOBAR=callable_setting):

            response = self.client.get('/views/raises500/')

            self.assertNotContains(response, "This should not be displayed", status_code=500)





class AjaxResponseExceptionReporterFilter(TestCase, ExceptionReportTestMixin):

    """