Re: [Django] #14614: Dont send Request message when handle_uncaught_exception()

Tue, 17 May 2011 05:51:46 -0700 

#14614: Dont send Request message when handle_uncaught_exception()
---------------------------------------+------------------------------
               Reporter:  oaylanc      |          Owner:  nobody
                   Type:  New feature  |         Status:  reopened
              Milestone:               |      Component:  Core (Other)
                Version:  1.2          |       Severity:  Normal
             Resolution:               |       Keywords:
           Triage Stage:  Accepted     |      Has patch:  1
    Needs documentation:  0            |    Needs tests:  0
Patch needs improvement:  0            |  Easy pickings:  0
---------------------------------------+------------------------------
Changes (by julien):

 * has_patch:  0 => 1
 * easy:   => 0


Comment:

 I've actually gotten bitten by this recently when I embarrassingly
 received error emails containing a client of mine's password displayed in
 clear because the admin login view had encountered an unhandled exception.

 I've just posted a patch with a proof of concept to obfuscate specified
 GET/POST parameters when unhandled exceptions are logged. It treats the
 issue at its core (i.e. `HttpRequest`) and takes the form of a view
 decorator in order to stay close to the action and to ease maintenance.

 The nomenclature is inspired from `HIDDEN_SETTINGS` and
 `get_safe_settings` in the `django.views.debug` module. The obfuscation is
 only active when `DEBUG` is `False` as, like it's been pointed above, it
 would be useful to have access to every possible information while
 debugging.

 So, I'd really like to get some feedback on this proof of concept, in
 particular:

 - What do you think of the API? Should there be different or complementary
 ways to this decorator (e.g. for class-based views)?
 - What do you think of the internals, in particular how the `HttpRequest`
 object has been modified? Can you think of anything cleaner? Should the
 obfuscation occur inside or outside `HttpRequest`?
 - Should the built-in auth/admin views make use of this by default (I
 think they should, as done in my patch, or at least there should be an
 easy way of activating it for all those views).
 - What do you think of the nomenclature?

 Many thanks.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/14614#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to