id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35901	"settings.DEBUG could reject non-empty string values (or in particular ""off"", ""no"", ""0"", ""disabled"", ""false"", ""False"")"	Sebastian Pipping		"Hi!

I came across a setup recently where (simplified) troubling code `DEBUG = os.environ.get(""DEBUG"", False)` with environment variables state `DEBUG=0` (and later `DEBUG=False`) was activating Debug mode (while not intended to and and unaware of) in practice because these (and all other non-empty) strings evaluate to `True` in Python:

{{{
In [1]: bool("""")
Out[1]: False

In [2]: bool(""False"")
Out[2]: True

In [3]: bool(""0"")
Out[3]: True
}}}

The related code is Open Source and my related pull request for their project is public at https://github.com/climateconnect/climateconnect/pull/1331 .

To cheaply protect users from accidents like these (that can easily result in arbitrary remote code execution) in the future, Django could reject values from `settings.DEBUG` that are (a) any string or (b) any non-empty string or (c) in a list of known excluded words (e.g. ""off"", ""no"", ""0"", ""disabled"", ""false"", ""False"").

What do you think?"	New feature	closed	Core (Other)	dev	Normal	wontfix	typed settings	Sebastian Pipping Venkatesh S	Unreviewed	1	0	0	0	0	0