#23004: Cleanse entries from request.META in debug views ---------------------------------+----------------------------------------- Reporter: Daniel Hahler | Owner: Daniel Maxson Type: New feature | Status: assigned Component: Error reporting | Version: master Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 ---------------------------------+-----------------------------------------
Comment (by Daniel Maxson): My take is that we should assume that this page will end up on production at some point. Or perhaps a developer is working on an internal Django project and thinks it's safe to keep DEBUG=TRUE there, but someone else on the inside maliciously leverages this. Or someone's reusing credentials between staging and production. I would prefer not to hear that Django was how someone pivoted from HTTP access to a debug build to acquiring secrets. Even if some of the fault would be on bad developer practices, some of the fault would also be on Django for leaking secrets when it didn't need to (and if it does need to in specific situations, that's configurable for people who know what they're doing). I think there's a strong security argument that we should assume this data will leak, and so should be cleansed before it does. -- Ticket URL: <https://code.djangoproject.com/ticket/23004#comment:21> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.ab5ddbcb143d4d3b983969ed128b91ce%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.