3 files changed, 24 insertions, 0 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index afbc12747..e8fce9c8d 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -7,6 +7,14 @@ Documentation
 - Added a section entitled "Writing a Script" to the "Command-Line Pyramid"
   chapter.
 
+Bug Fixes
+---------
+
+- Omit custom environ variables when rendering a custom exception template in
+  ``pyramid.httpexceptions.WSGIHTTPException._set_default_attrs``;
+  stringifying thse may trigger code that should not be executed; see
+  https://github.com/Pylons/pyramid/issues/239
+
 1.1b3 (2011-07-15)
 ==================
 
diff --git a/pyramid/httpexceptions.py b/pyramid/httpexceptions.py
index 44b854929..4d23db8d2 100644
--- a/pyramid/httpexceptions.py
+++ b/pyramid/httpexceptions.py
@@ -236,6 +236,11 @@ ${body}''')
         if WSGIHTTPException.body_template_obj is not body_tmpl:
             # Custom template; add headers to args
             for k, v in environ.items():
+                if (not k.startswith('wsgi.')) and ('.' in k):
+                    # omit custom environ variables, stringifying them may
+                    # trigger code that should not be executed here; see
+                    # https://github.com/Pylons/pyramid/issues/239
+                    continue
                 args[k] = escape(v)
             for k, v in self.headers.items():
                 args[k.lower()] = escape(v)
diff --git a/pyramid/tests/test_httpexceptions.py b/pyramid/tests/test_httpexceptions.py
index 203d442f7..7db071d03 100644
--- a/pyramid/tests/test_httpexceptions.py
+++ b/pyramid/tests/test_httpexceptions.py
@@ -232,6 +232,17 @@ class TestWSGIHTTPException(unittest.TestCase):
         body = list(exc(environ, start_response))[0]
         self.assertEqual(body, '200 OK\n\nGET')
 
+    def test_custom_body_template_with_custom_variable_doesnt_choke(self):
+        cls = self._getTargetSubclass()
+        exc = cls(body_template='${REQUEST_METHOD}')
+        environ = _makeEnviron()
+        class Choke(object):
+            def __str__(self): raise ValueError
+        environ['gardentheory.user'] = Choke()
+        start_response = DummyStartResponse()
+        body = list(exc(environ, start_response))[0]
+        self.assertEqual(body, '200 OK\n\nGET')
+
     def test_body_template_unicode(self):
         cls = self._getTargetSubclass()
         la = unicode('/La Pe\xc3\xb1a', 'utf-8')