From bb573ebee4dc58d8e70826f774bc7fdd7b3be4b3 Mon Sep 17 00:00:00 2001 From: Sachi King Date: Sun, 30 Apr 2017 11:52:40 +1000 Subject: [PATCH] settings - DEBUG hardening DEBUG is something that should never be turned in on prod. As such, lets be extremely specific on what we expect to process. As we'll be taking this in from the environment, it's ensured we will get a string. So we'll always get and only handle this in string form. If it's anything else, it's an operational error and we bail. (Note: bool('0') is truthy, so we make sure we leverge our string -> int -> bool every time, so corectness can be noticed if it is not) --- pinaxcon/settings.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/pinaxcon/settings.py b/pinaxcon/settings.py index 19d857b5..2d645844 100644 --- a/pinaxcon/settings.py +++ b/pinaxcon/settings.py @@ -13,7 +13,19 @@ BASE_DIR = PACKAGE_ROOT ### USER SETTINGS -DEBUG = True +DEBUG = os.environ.get('SYMPOSION_APP_DEBUG', '0') +if isinstance(DEBUG, str): + try: + i = int(DEBUG) + if not i in [0, 1]: + raise ValueError("not 0 or 1") + DEBUG = bool(i) + except ValueError: + sys.exit('DEBUG env var must be set to string value of a 0 or 1') +else: + sys.exit('DEBUG env var is in unexpected format. Should be a string' + 'containing either a 0 or a 1 - Got type %s' % type(DEBUG)) + DATABASES = { "default": { "ENGINE": "django.db.backends.sqlite3",