1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001
From: Florian Apolloner <florian@apolloner.eu>
Date: Wed, 11 Nov 2015 20:10:55 +0100
Subject: [PATCH] Fixed a settings leak possibility in the date template
filter.
This is a security fix.
---
django/utils/formats.py | 20 ++++++++++++++++++++
tests/i18n/tests.py | 3 +++
2 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/django/utils/formats.py b/django/utils/formats.py
index d2bdda4..8334682 100644
--- a/django/utils/formats.py
+++ b/django/utils/formats.py
@@ -30,6 +30,24 @@
}
+FORMAT_SETTINGS = frozenset([
+ 'DECIMAL_SEPARATOR',
+ 'THOUSAND_SEPARATOR',
+ 'NUMBER_GROUPING',
+ 'FIRST_DAY_OF_WEEK',
+ 'MONTH_DAY_FORMAT',
+ 'TIME_FORMAT',
+ 'DATE_FORMAT',
+ 'DATETIME_FORMAT',
+ 'SHORT_DATE_FORMAT',
+ 'SHORT_DATETIME_FORMAT',
+ 'YEAR_MONTH_FORMAT',
+ 'DATE_INPUT_FORMATS',
+ 'TIME_INPUT_FORMATS',
+ 'DATETIME_INPUT_FORMATS',
+])
+
+
def reset_format_cache():
"""Clear any cached formats.
@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
be localized (or not), overriding the value of settings.USE_L10N.
"""
format_type = force_str(format_type)
+ if format_type not in FORMAT_SETTINGS:
+ return format_type
if use_l10n or (use_l10n is None and settings.USE_L10N):
if lang is None:
lang = get_language()
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
index 1de7b11..fd332c5 100644
--- a/tests/i18n/tests.py
+++ b/tests/i18n/tests.py
@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):
'<input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
)
+ def test_format_arbitrary_settings(self):
+ self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
class MiscTests(SimpleTestCase):
|
