On Jul 10, 2:05 pm, Carl Karsten <[EMAIL PROTECTED]> wrote:
> I am considering adding a 'paste tohttp://dpaste.com"; button to the error page
> template, but not if the security nutz are going to say it makes it too easy
> for
> people to expose stuff that shouldn't be exposed.
>
> So, if such a button were created, what would you nutz-os say?
>
> Carl K
>
> pw, hat's off to the nutz-os for keeping us safe. glad someone is on top of
> this stuff.
This would be nice for those developing (i.e. not production) to get
help debugging. Production has the e-mail response.
1. There is no way to make it secure enough.
The local variable stack could have the secret code in it, or a users
typed password, password to the LDAP backend auth system!
There is no way to protect all the data in any system, as you have
know way of knowing what those will be out in the field.
2. Most settings are already protected.
The stuff that is obvious I believe is already protected (could be
wrong about that).
I think a disclaimer would be enough. Letting the poster know they are
giving out sensitive information to the world, and to never do this
with a production system.
Then again I have not done security for 10 years, and I am sure others
will be better informed opinions.
-Doug
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
