1
0
mirror of https://github.com/django/django.git synced 2025-10-25 22:56:12 +00:00

[1.6.x] Fixed #17778 -- Prevented class attributes on context from resolving as template variables.

Thanks KyleMac for the report, regebro for the patch, and Aymeric for the test.

Backport of 71b5617c24 from master.
This commit is contained in:
Tim Graham
2013-08-12 12:41:39 -04:00
parent d2419bb2b8
commit ccff25b143
2 changed files with 14 additions and 2 deletions

View File

@@ -5,7 +5,7 @@ from functools import partial
from inspect import getargspec
from django.conf import settings
from django.template.context import (Context, RequestContext,
from django.template.context import (BaseContext, Context, RequestContext,
ContextPopException)
from django.utils.importlib import import_module
from django.utils.itercompat import is_iterable
@@ -765,6 +765,9 @@ class Variable(object):
current = current[bit]
except (TypeError, AttributeError, KeyError, ValueError):
try: # attribute lookup
# Don't return class attributes if the class is the context:
if isinstance(current, BaseContext) and getattr(type(current), bit):
raise AttributeError
current = getattr(current, bit)
except (TypeError, AttributeError):
try: # list-index lookup

View File

@@ -1,5 +1,5 @@
# coding: utf-8
from django.template import Context
from django.template import Context, Variable, VariableDoesNotExist
from django.utils.unittest import TestCase
@@ -14,3 +14,12 @@ class ContextTests(TestCase):
self.assertEqual(c.pop(), {"a": 2})
self.assertEqual(c["a"], 1)
self.assertEqual(c.get("foo", 42), 42)
def test_resolve_on_context_method(self):
# Regression test for #17778
empty_context = Context()
self.assertRaises(VariableDoesNotExist,
Variable('no_such_variable').resolve, empty_context)
self.assertRaises(VariableDoesNotExist,
Variable('new').resolve, empty_context)
self.assertEqual(Variable('new').resolve(Context({'new': 'foo'})), 'foo')