#35901: settings.DEBUG could reject non-empty string values (or in particular
"off", "no", "0", "disabled", "false", "False")
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: Uncategorized | Status: new
Component: Core (Other) | Version: dev
Severity: Normal | Resolution:
Keywords: security debug | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Comment (by Sebastian Pipping):
The code sample is a nice idea.
With regard to checking all setting types I don't see need to make the
picture that big: the type check is an implemenation detail — we could as
well just block values like `"off", "no", "0", "disabled", "false",
"False" — but then the list will never be complete. The current explicit
check also doesn't prevent any later migrations towards full blown type
checks in the future. Why not start small?
I would appreciate to consider that this change alone would have saved
unfortunate setup
https://github.com/climateconnect/climateconnect/pull/1331 from potential
remote code execution. That's the key motivator behind this suggestion: it
could have been prevented easily.
--
Ticket URL: <https://code.djangoproject.com/ticket/35901#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019318901c16-a3a02ec7-8a3b-4cbb-a2fd-3da0dd29e3b3-000000%40eu-central-1.amazonses.com.
