[Django] #21345: Debug view calls callable settings
Django
----------------------------------------+------------------------
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+------------------------
'''Reproduction instructions:'''
1) Add this to your settings file (I'm not saying it's a good idea)
{{{
def KABOOM():
raise ValueError("KABOOM!")
}}}
2) Create a view that raises an uncaught exception
3) Open the corresponding URL with DEBUG = True
'''Expected result:'''
Django's fancy debug page.
'''Actual result:'''
Non-descript error page: "A server error occurred. Please contact the
administrator."
----
Here the function defined in the settings raises an exception; in fact the
problem is that Django's debug page will call any callable setting that
accepts being called without arguments. I admit it's a lousy idea to have
callable settings; Django favors paths to callables; but it's still a lame
behavior to call them arbitrarily :)
This was originally reported against the Debug Toolbar: https://github.com
/django-debug-toolbar/django-debug-toolbar/issues/252. I'm duplicating the
issue here because the Debug Toolbar took that code from Django itself.
I'll update it to follow Django's behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/21345>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timo):
Dup/related to #21048?
--
Ticket URL: <https://code.djangoproject.com/ticket/21345#comment:1>
Django
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by aaugustin):
Yes, related. The same issue exists for `request.META`.
--
Ticket URL: <https://code.djangoproject.com/ticket/21345#comment:2>
Django
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bmispelon):
* stage: Unreviewed => Accepted
Comment:
I can reproduce this.
This seems to be caused by the template engine blindly calling anything
passed to it.
We can fix this for settings by settings the `do_not_call_in_templates`
attribute on all the callable settings passed to the view's context:
{{{#!diff
diff --git a/django/views/debug.py b/django/views/debug.py
index 3d0a8c0..96d3e65 100644
--- a/django/views/debug.py
+++ b/django/views/debug.py
@@ -46,6 +46,10 @@ def cleanse_setting(key, value):
except TypeError:
# If the key isn't regex-able, just return as-is.
cleansed = value
+
+ if callable(cleansed):
+ cleansed.do_not_call_in_templates = True
+
return cleansed
def get_safe_settings():
}}}
What do you think?
--
Ticket URL: <https://code.djangoproject.com/ticket/21345#comment:3>
Django
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bmispelon):
* cc: bmispelon@… (added)
Comment:
(note that the proposed change above passes the test suite)
--
Ticket URL: <https://code.djangoproject.com/ticket/21345#comment:4>
Django
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by aaugustin):
That's a pretty good solution.
--
Ticket URL: <https://code.djangoproject.com/ticket/21345#comment:5>
Django
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bmispelon):
* has_patch: 0 => 1
Comment:
Pull request here: https://github.com/django/django/pull/1827
I added tests for this new feature as well as some missing ones (in a
separate commit).
--
Ticket URL: <https://code.djangoproject.com/ticket/21345#comment:6>
Django
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: new
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Ready for
Has patch: 1 | checkin
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by charettes):
* stage: Accepted => Ready for checkin
Comment:
LGTM and all tests pass on SQLite Py2 and 3.
--
Ticket URL: <https://code.djangoproject.com/ticket/21345#comment:7>
Django
Reporter: aaugustin | Owner: nobody
Type: Bug | Status: closed
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Ready for
Has patch: 1 | checkin
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"3c5cdaf47aae7e4f21398be1a5eaa07f7c5ce31c"]:
{{{
#!CommitTicketReference repository=""
revision="3c5cdaf47aae7e4f21398be1a5eaa07f7c5ce31c"
Fixed #21345: Don't evaluate callable settings in the debug page.
Thanks to crass for the report.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21345#comment:8>