#23004: Cleanse entries from request.META in debug views
---------------------------------+-----------------------------------------
     Reporter:  Daniel Hahler    |                    Owner:  Daniel Maxson
         Type:  New feature      |                   Status:  assigned
    Component:  Error reporting  |                  Version:  master
     Severity:  Normal           |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  1                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+-----------------------------------------

Old description:

> In the debug views `settings` is cleansed, which hides e.g. `SECRET_KEY`.
>
> But a lot of sensible information might also be present / come from
> `request.META`, e.g. in the form of `DJANGO_SECRET_KEY` or
> `DATABASE_URL`.
>
> It might be sensible to apply a filter in `TECHNICAL_500_TEMPLATE`
> (source code reference:
> https://github.com/django/django/blob/master/django/views/debug.py#L972-977).
>
> I see that this can be quite specific, but I think it would be sensible
> to apply `HIDDEN_SETTINGS` to all entries starting with `DJANGO_` and
> have a setting for additional entries, which might default to
> `DATABASE_URL` and `SENTRY_DSN`.

New description:



--

Comment (by Ryan Castner):

 > I'm not entirely sure we need that big of a change for this ticket,
 especially considering that this is a DEBUG=True

 That is sort of frustrating because this was my original PR

 https://github.com/django/django/pull/7996/files

-- 
Ticket URL: <https://code.djangoproject.com/ticket/23004#comment:20>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.dad596546a91967a862a3177aeefee83%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to