#23004: Cleanse entries from request.META in debug views
     Reporter:  Daniel Hahler    |                    Owner:  Daniel Maxson
         Type:  New feature      |                   Status:  assigned
    Component:  Error reporting  |                  Version:  master
     Severity:  Normal           |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  1                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0

Comment (by Daniel Maxson):

 My take is that we should assume that this page will end up on production
 at some point. Or perhaps a developer is working on an internal Django
 project and thinks it's safe to keep DEBUG=TRUE there, but someone else on
 the inside maliciously leverages this. Or someone's reusing credentials
 between staging and production.

 I would prefer not to hear that Django was how someone pivoted from HTTP
 access to a debug build to acquiring secrets. Even if some of the fault
 would be on bad developer practices, some of the fault would also be on
 Django for leaking secrets when it didn't need to (and if it does need to
 in specific situations, that's configurable for people who know what
 they're doing).

 I think there's a strong security argument that we should assume this data
 will leak, and so should be cleansed before it does.

Ticket URL: <https://code.djangoproject.com/ticket/23004#comment:21>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to