Opened 4 years ago

Closed 4 years ago

#21345 closed Bug (fixed)

Debug view calls callable settings

Reported by: Aymeric Augustin Owned by: nobody
Component: Core (Other) Version: master
Severity: Normal Keywords:
Cc: bmispelon@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Reproduction instructions:

1) Add this to your settings file (I'm not saying it's a good idea)

def KABOOM():
    raise ValueError("KABOOM!")

2) Create a view that raises an uncaught exception

3) Open the corresponding URL with DEBUG = True

Expected result:

Django's fancy debug page.

Actual result:

Non-descript error page: "A server error occurred. Please contact the administrator."


Here the function defined in the settings raises an exception; in fact the problem is that Django's debug page will call any callable setting that accepts being called without arguments. I admit it's a lousy idea to have callable settings; Django favors paths to callables; but it's still a lame behavior to call them arbitrarily :)

This was originally reported against the Debug Toolbar: https://github.com/django-debug-toolbar/django-debug-toolbar/issues/252. I'm duplicating the issue here because the Debug Toolbar took that code from Django itself. I'll update it to follow Django's behavior.

Change History (8)

comment:1 Changed 4 years ago by Tim Graham

Dup/related to #21048?

comment:2 Changed 4 years ago by Aymeric Augustin

Yes, related. The same issue exists for request.META.

comment:3 Changed 4 years ago by Baptiste Mispelon

Triage Stage: UnreviewedAccepted

I can reproduce this.

This seems to be caused by the template engine blindly calling anything passed to it.

We can fix this for settings by settings the do_not_call_in_templates attribute on all the callable settings passed to the view's context:

  • django/views/debug.py

    diff --git a/django/views/debug.py b/django/views/debug.py
    index 3d0a8c0..96d3e65 100644
    a b def cleanse_setting(key, value): 
    4646    except TypeError:
    4747        # If the key isn't regex-able, just return as-is.
    4848        cleansed = value
     49
     50    if callable(cleansed):
     51        cleansed.do_not_call_in_templates = True
     52
    4953    return cleansed
    5054
    5155def get_safe_settings():

What do you think?

comment:4 Changed 4 years ago by Baptiste Mispelon

Cc: bmispelon@… added

(note that the proposed change above passes the test suite)

comment:5 Changed 4 years ago by Aymeric Augustin

That's a pretty good solution.

comment:6 Changed 4 years ago by Baptiste Mispelon

Has patch: set

Pull request here: https://github.com/django/django/pull/1827

I added tests for this new feature as well as some missing ones (in a separate commit).

comment:7 Changed 4 years ago by Simon Charette

Triage Stage: AcceptedReady for checkin

LGTM and all tests pass on SQLite Py2 and 3.

comment:8 Changed 4 years ago by Baptiste Mispelon <bmispelon@…>

Resolution: fixed
Status: newclosed

In 3c5cdaf47aae7e4f21398be1a5eaa07f7c5ce31c:

Fixed #21345: Don't evaluate callable settings in the debug page.

Thanks to crass for the report.

Note: See TracTickets for help on using tickets.
Back to Top