Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#17778 closed Bug (fixed)

RequestContext methods pollute template variables

Reported by: KyleMac Owned by: Tim Graham <timograham@…>
Component: Template system Version: 1.4-beta-1
Severity: Normal Keywords: sprint2013
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Imagine the following simple view:

def index(request):
    return render_to_response('template.html', {
        'myvar': 'My Variable'
    }, context_instance=RequestContext(request))

And the following simple template:

{{ myvar }} is {% if not new %}not {% endif %}new.

The output will always be:

My Variable is new.

This is because django.template.base.Variable._resolve_lookup is finding the new() method on RequestContext which is then forced to a string resulting in "[{}]".

If you're asking why you want to access a variable that the view never sets then the reason is that this situation can occur when views are including or extending the same template.

Attachments (2)

17778-testcase.patch (1.0 KB) - added by aaugustin 3 years ago.
#17778-RequestContext_pollutes_namespace.patch (2.2 KB) - added by regebro 2 years ago.
One solution

Download all attachments as: .zip

Change History (9)

Changed 3 years ago by aaugustin

comment:1 Changed 3 years ago by aaugustin

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

I just attached a test case that demonstrates the problem.

comment:2 Changed 2 years ago by regebro

  • Keywords sprint2013 added
  • Owner changed from nobody to regebro
  • Status changed from new to assigned

Changed 2 years ago by regebro

One solution

comment:3 Changed 2 years ago by regebro

  • Has patch set
  • Owner regebro deleted
  • Status changed from assigned to new
  • Triage Stage changed from Accepted to Design decision needed

To solve this we have to explicitly disallow attributes on the context. Or at least disallow class attributes.

I attached a patch that does the last option. But I think a design decision is needed here.

comment:4 Changed 2 years ago by aaugustin

  • Triage Stage changed from Design decision needed to Accepted

Under which circumstances would Django try to access attributes on the context?

comment:5 Changed 2 years ago by timo

Reported again in #20898

comment:6 Changed 2 years ago by Tim Graham <timograham@…>

  • Owner set to Tim Graham <timograham@…>
  • Resolution set to fixed
  • Status changed from new to closed

In 71b5617c24bb997db294480f07611233069e3359:

Fixed #17778 -- Prevented class attributes on context from resolving as template variables.

Thanks KyleMac for the report, regebro for the patch, and Aymeric for the test.

comment:7 Changed 2 years ago by Tim Graham <timograham@…>

In ccff25b1431bd1bb9d633b1ca1d3aff79acc33d9:

[1.6.x] Fixed #17778 -- Prevented class attributes on context from resolving as template variables.

Thanks KyleMac for the report, regebro for the patch, and Aymeric for the test.

Backport of 71b5617c24 from master.

Note: See TracTickets for help on using tickets.
Back to Top