#21098: MultiValueDictKeyError leaks sensitive POST data ---------------------------------+------------------------------------ Reporter: simonpercivall | Owner: timo Type: Bug | Status: new Component: Core (Other) | Version: master Severity: Release blocker | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 ---------------------------------+------------------------------------
Comment (by timo): #15625 (removing the dictionary from the `MultiValueDictKeyError` message) will fix this for plain text emails sent by `AdminEmailHandler`. HTML email is another matter because local variables are included which includes the `self` variable in `MultiValueDict.__getitem__` which is the unsanitized POST dict. We may be better off adding some warnings to the documentation than trying to make this protection bulletproof as it seems exceedingly difficult to do so. -- Ticket URL: <https://code.djangoproject.com/ticket/21098#comment:8> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/072.c0825abe331d0c4deef69f471eecf4cf%40djangoproject.com. For more options, visit https://groups.google.com/groups/opt_out.