#21098: MultiValueDictKeyError leaks sensitive POST data
---------------------------------+------------------------------------
Reporter: simonpercivall | Owner: timo
Type: Bug | Status: new
Component: Core (Other) | Version: master
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Comment (by timo):
#15625 (removing the dictionary from the `MultiValueDictKeyError` message)
will fix this for plain text emails sent by `AdminEmailHandler`.
HTML email is another matter because local variables are included which
includes the `self` variable in `MultiValueDict.__getitem__` which is the
unsanitized POST dict. We may be better off adding some warnings to the
documentation than trying to make this protection bulletproof as it seems
exceedingly difficult to do so.
--
Ticket URL: <https://code.djangoproject.com/ticket/21098#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/072.c0825abe331d0c4deef69f471eecf4cf%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
