diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2015-11-11 20:10:55 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-11-16 21:06:32 -0500 |
| commit | 8a01c6b53169ee079cb21ac5919fdafcc8c5e172 (patch) | |
| tree | 742c1dbff69233b1ee4e68a10fe280730112d9c8 /django | |
| parent | 3bd43598f73832793401a586e87290e011723530 (diff) | |
[1.7.x] Fixed a settings leak possibility in the date template filter.
This is a security fix.
Diffstat (limited to 'django')
| -rw-r--r-- | django/utils/formats.py | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/django/utils/formats.py b/django/utils/formats.py index fc68179f3a..2fe98ac829 100644 --- a/django/utils/formats.py +++ b/django/utils/formats.py @@ -31,6 +31,24 @@ ISO_INPUT_FORMATS = { } +FORMAT_SETTINGS = frozenset([ + 'DECIMAL_SEPARATOR', + 'THOUSAND_SEPARATOR', + 'NUMBER_GROUPING', + 'FIRST_DAY_OF_WEEK', + 'MONTH_DAY_FORMAT', + 'TIME_FORMAT', + 'DATE_FORMAT', + 'DATETIME_FORMAT', + 'SHORT_DATE_FORMAT', + 'SHORT_DATETIME_FORMAT', + 'YEAR_MONTH_FORMAT', + 'DATE_INPUT_FORMATS', + 'TIME_INPUT_FORMATS', + 'DATETIME_INPUT_FORMATS', +]) + + def reset_format_cache(): """Clear any cached formats. @@ -85,6 +103,8 @@ def get_format(format_type, lang=None, use_l10n=None): be localized (or not), overriding the value of settings.USE_L10N. """ format_type = force_str(format_type) + if format_type not in FORMAT_SETTINGS: + return format_type if use_l10n or (use_l10n is None and settings.USE_L10N): if lang is None: lang = get_language() |