Fixed #27258 -- Prohibited django.Template.render() with non-dict context.

Thanks Shivang Bharadwaj for the initial patch.

2 files changed, 5 insertions, 2 deletions

diff --git a/django/template/context.py b/django/template/context.py
index 134aac4b36..166f60fe75 100644
--- a/django/template/context.py
+++ b/django/template/context.py
@@ -281,6 +281,8 @@ def make_context(context, request=None, **kwargs):
     """
     Create a suitable Context from a plain dict and optionally an HttpRequest.
     """
+    if context is not None and not isinstance(context, dict):
+        raise TypeError('context must be a dict rather than %s.' % context.__class__.__name__)
     if request is None:
         context = Context(context, **kwargs)
     else:
diff --git a/django/views/csrf.py b/django/views/csrf.py
index 493e112fbe..5e13e529fc 100644
--- a/django/views/csrf.py
+++ b/django/views/csrf.py
@@ -105,7 +105,7 @@ def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME):
     Default view used when request fails CSRF protection
     """
     from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE
-    c = Context({
+    c = {
         'title': _("Forbidden"),
         'main': _("CSRF verification failed. Request aborted."),
         'reason': reason,
@@ -132,13 +132,14 @@ def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME):
         'DEBUG': settings.DEBUG,
         'docs_version': get_docs_version(),
         'more': _("More information is available with DEBUG=True."),
-    })
+    }
     try:
         t = loader.get_template(template_name)
     except TemplateDoesNotExist:
         if template_name == CSRF_FAILURE_TEMPLATE_NAME:
             # If the default template doesn't exist, use the string template.
             t = Engine().from_string(CSRF_FAILURE_TEMPLATE)
+            c = Context(c)
         else:
             # Raise if a developer-specified template doesn't exist.
             raise