mirror of
				https://github.com/django/django.git
				synced 2025-10-26 15:16:09 +00:00 
			
		
		
		
	Fixed #21345: Don't evaluate callable settings in the debug page.
Thanks to crass for the report.
This commit is contained in:
		| @@ -46,6 +46,10 @@ def cleanse_setting(key, value): | ||||
|     except TypeError: | ||||
|         # If the key isn't regex-able, just return as-is. | ||||
|         cleansed = value | ||||
|  | ||||
|     if callable(cleansed): | ||||
|         cleansed.do_not_call_in_templates = True | ||||
|  | ||||
|     return cleansed | ||||
|  | ||||
| def get_safe_settings(): | ||||
|   | ||||
| @@ -586,6 +586,16 @@ class ExceptionReporterFilterTests(TestCase, ExceptionReportTestMixin): | ||||
|             self.verify_safe_response(sensitive_kwargs_function_caller, check_for_POST_params=False) | ||||
|             self.verify_safe_email(sensitive_kwargs_function_caller, check_for_POST_params=False) | ||||
|  | ||||
|     def test_callable_settings(self): | ||||
|         """ | ||||
|         Callable settings should not be evaluated in the debug page (#21345). | ||||
|         """ | ||||
|         def callable_setting(): | ||||
|             return "This should not be displayed" | ||||
|         with self.settings(DEBUG=True, FOOBAR=callable_setting): | ||||
|             response = self.client.get('/views/raises500/') | ||||
|             self.assertNotContains(response, "This should not be displayed", status_code=500) | ||||
|  | ||||
|  | ||||
| class AjaxResponseExceptionReporterFilter(TestCase, ExceptionReportTestMixin): | ||||
|     """ | ||||
|   | ||||
		Reference in New Issue
	
	Block a user