Re: [Django] #22990: Sensitive POST data leaks from complex variables

Mon, 01 Sep 2014 02:41:46 -0700 

#22990: Sensitive POST data leaks from complex variables
--------------------------------------+------------------------------------
     Reporter:  vzima                 |                    Owner:  vzima
         Type:  Cleanup/optimization  |                   Status:  assigned
    Component:  Core (Other)          |                  Version:  master
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  1                     |      Needs documentation:  0
  Needs tests:  0                     |  Patch needs improvement:  0
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------
Changes (by vzima):

 * has_patch:  0 => 1


Comment:

 I finally created a patch which solves this issue, pull request is at
 github: https://github.com/django/django/pull/3145

 I've found a serious flaw in the tests of the technical 500 error. The
 tests directly called the view which rendered technical 500 page itself.
 This greatly cut down the traceback to single frame, thus hiding potential
 leakage occuring on higher levels in production environments. So, I've
 refactored the tests to use test client and common handling of unhandled
 exception.

 Further issues:
  * Some important data may be hidden in DEBUG mode. I'll investigate it
 further after this ticket is completed.
  * Because of the complexity of the problem, data can't be marked as
 sensitive only for one channel (e.g. HTML error mails) and affected values
 should be generally hidden in all cases. IMHO `EXCEPTION_REPORTER_FILTER`
 should be replaced with `SANITIZER` to remove any confusion which may
 occur from seeing exception reporter filter in request POST
 representation.
  * Test client may have an attribute to disable reraising the exception
 from the view.

--
Ticket URL: <https://code.djangoproject.com/ticket/22990#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.1490b315738f0ba44cb806ac8882abb0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to