#23004: Cleanse entries from request.META in debug views
------------------------------+------------------------------------
Reporter: blueyed | Owner: nobody
Type: New feature | Status: new
Component: Core (Other) | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Comment (by sthzg):
I am interested in this topic and started experimenting with @timo's
suggestions. I hope it is okay to put some questions here, because I am
not completely sure about the scope of it and would be interested in your
opinion.
---
After reading through the code, the {{{cleanse_setting()}}} method seems
to only be relevant to parsing values from the settings. Cleansing POST
for example (which like META is part of the request instance) is done as
part of {{{SafeExceptionReporterFilter}}}. What I am experimenting with is
to provide similar behavior for request.META as there already is for POST.
I implemented a {{{get_meta_parameters()}}} on
{{{SafeExceptionReporterFilter}}} that cleanses all values in META that
match the {{{HIDDEN_SETTINGS}}} (that are now an attribute of
{{{ExceptionReporterFilter}}}).
{{{
#!python
def get_meta_parameters(self, request):
"""
Replaces the values of META parameters that match defined patterns
from HIDDEN_SETTINGS with stars (*********).
"""
if request is None:
return {}
else:
cleansed = request.META.copy()
# Cleanse all values that match the regexp in HIDDEN_SETTINGS.
for k, v in cleansed.items():
if self.HIDDEN_SETTINGS.search(k):
cleansed[k] = CLEANSED_SUBSTITUTE
return cleansed
}}}
Now my idea would be to extend the Context instance in
{{{get_traceback_data()}}} to get a {{{filtered_META}}}, analog to what it
does to get the {{{filtered_POST}}}
{{{
#!python
c = {
# ...
'filtered_POST': self.filter.get_post_parameters(self.request),
'filtered_META': self.filter.get_meta_parameters(self.request)
# ...
}
}}}
Then, if {{{filtered_META}}} is not empty, I thought about changing the
{{{TECHNICAL_500_TEMPLATE}}} to loop over that.
----
Before I go on I would be interested if this was still accepted in terms
of behavior and scope or if a solution in that direction would be unlikely
to make its way to core. If yes I would be happy trying to code it and
backing it up by tests and then come back here to discuss the possible
patch.
--
Ticket URL: <https://code.djangoproject.com/ticket/23004#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.4c6904dcb6dc0c78546306d54580a6ef%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
