[Python-modules-commits] [python-django] 10/19: date-leak-1.7.diff

Luke Faraone lfaraone at moszumanska.debian.org
Thu Jul 21 02:34:41 UTC 2016 

This is an automated email from the git hooks/post-receive script.

lfaraone pushed a commit to branch debian/jessie
in repository python-django.

commit 986288317213e545851aec4d164a531f8281a1bb
Author: Luke W Faraone <lfaraone at debian.org>
Date:   Wed Nov 11 20:10:55 2015 +0100

    date-leak-1.7.diff
    
    commit 8a01c6b53169ee079cb21ac5919fdafcc8c5e172
    Author: Florian Apolloner <florian at apolloner.eu>
    
        [1.7.x] Fixed a settings leak possibility in the date template filter.
    
        This is a security fix.
---
 django/utils/formats.py | 20 ++++++++++++++++++++
 tests/i18n/tests.py     |  3 +++
 2 files changed, 23 insertions(+)

diff --git a/django/utils/formats.py b/django/utils/formats.py
index fc68179..2fe98ac 100644
--- a/django/utils/formats.py
+++ b/django/utils/formats.py
@@ -31,6 +31,24 @@ ISO_INPUT_FORMATS = {
 }
 
 
+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.
 
@@ -85,6 +103,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
index e4bae85..0bf54d3 100644
--- a/tests/i18n/tests.py
+++ b/tests/i18n/tests.py
@@ -828,6 +828,9 @@ class FormattingTests(TestCase):
                 '<input id="id_date_added" name="date_added" type="hidden" value="31.12.2009 06:00:00" />; <input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
             )
 
+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
 
 class MiscTests(TestCase):
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git

More information about the Python-modules-commits mailing list