From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001
From: Florian Apolloner <florian@apolloner.eu>
Date: Wed, 11 Nov 2015 20:10:55 +0100
Subject: [PATCH] Fixed a settings leak possibility in the date template
 filter.

This is a security fix.
---
 django/utils/formats.py  | 20 ++++++++++++++++++++
 tests/i18n/tests.py      |  3 +++
 2 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/django/utils/formats.py b/django/utils/formats.py
index d2bdda4..8334682 100644
--- a/django/utils/formats.py
+++ b/django/utils/formats.py
@@ -30,6 +30,24 @@
 }


+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.

@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
index 1de7b11..fd332c5 100644
--- a/tests/i18n/tests.py
+++ b/tests/i18n/tests.py
@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):
                 '<input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
             )

+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+

 class MiscTests(SimpleTestCase):