#32465: Passwords in env variables should be hidden on debug page like other
settings are.
-------------------------------------+-------------------------------------
Reporter: galt | Owner: nobody
Type: Bug | Status: new
Component: | Version: 3.1
Uncategorized |
Severity: Normal | Keywords: env passwords debug
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hundreds of blog pages tell people to put their settings for database and
other passwords and keys
into env variables for easier management, and then settings.py reads
those. This is often described as a good way to avoid accidentally
checking sensitive settings.py into source code control like git. But then
the env variables are exposed in the django debug output with debug=true.
Since django already hides 'API|TOKEN|KEY|SECRET|PASS|SIGNATURE' for
django settings, it should hide env variables too in the same way.
Currently this problem is not easy to work around.
Having debug=false for production helps protect production servers. But
some users use the same db user/password for both development and
production systems. So leaking one leaks the other.
On rare occasions, people need to temporarily enable debug on production
to solve some quick issue. So fixing the bug would make this safer.
--
Ticket URL: <https://code.djangoproject.com/ticket/32465>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/047.b9b78cfa620a9d19eff35079fdaf7094%40djangoproject.com.
