Context Navigation

← Previous Ticket
Next Ticket →

#21345 closed Bug (fixed)

Debug view calls callable settings

Reported by:	Aymeric Augustin	Owned by:	nobody
Component:	Core (Other)	Version:	dev
Severity:	Normal	Keywords:
Cc:	bmispelon@…	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Reproduction instructions:

1) Add this to your settings file (I'm not saying it's a good idea)

def KABOOM():
    raise ValueError("KABOOM!")

2) Create a view that raises an uncaught exception

3) Open the corresponding URL with DEBUG = True

Expected result:

Django's fancy debug page.

Actual result:

Non-descript error page: "A server error occurred. Please contact the administrator."

Here the function defined in the settings raises an exception; in fact the problem is that Django's debug page will call any callable setting that accepts being called without arguments. I admit it's a lousy idea to have callable settings; Django favors paths to callables; but it's still a lame behavior to call them arbitrarily :)

This was originally reported against the Debug Toolbar: https://github.com/django-debug-toolbar/django-debug-toolbar/issues/252. I'm duplicating the issue here because the Debug Toolbar took that code from Django itself. I'll update it to follow Django's behavior.

Change History (8)

comment:1 by Tim Graham, 11 years ago

Dup/related to #21048?

comment:2 by Aymeric Augustin, 11 years ago

Yes, related. The same issue exists for request.META.

comment:3 by Baptiste Mispelon, 11 years ago

Triage Stage:	Unreviewed → Accepted

I can reproduce this.

This seems to be caused by the template engine blindly calling anything passed to it.

We can fix this for settings by settings the do_not_call_in_templates attribute on all the callable settings passed to the view's context:

django/views/debug.py

diff --git a/django/views/debug.py b/django/views/debug.py
index 3d0a8c0..96d3e65 100644

                def cleanse_setting(key, value):
     except TypeError:
         # If the key isn't regex-able, just return as-is.
         cleansed = value
+    if callable(cleansed):
+        cleansed.do_not_call_in_templates = True
     return cleansed
 def get_safe_settings():

What do you think?

comment:4 by Baptiste Mispelon, 11 years ago

Cc:	bmispelon@… added

(note that the proposed change above passes the test suite)

comment:5 by Aymeric Augustin, 11 years ago

That's a pretty good solution.

comment:6 by Baptiste Mispelon, 11 years ago

Has patch:	set

Pull request here: https://github.com/django/django/pull/1827

I added tests for this new feature as well as some missing ones (in a separate commit).

comment:7 by Simon Charette, 11 years ago

Triage Stage:	Accepted → Ready for checkin

LGTM and all tests pass on SQLite Py2 and 3.

comment:8 by Baptiste Mispelon <bmispelon@…>, 11 years ago

Resolution:	→ fixed
Status:	new → closed

In 3c5cdaf47aae7e4f21398be1a5eaa07f7c5ce31c:

Fixed #21345: Don't evaluate callable settings in the debug page.

Thanks to crass for the report.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues