#23004: Cleanse entries from request.META in debug views ---------------------------------+----------------------------------------- Reporter: Daniel Hahler | Owner: Daniel Maxson Type: New feature | Status: assigned Component: Error reporting | Version: master Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 ---------------------------------+----------------------------------------- Description changed by Carlton Gibson:
Old description: New description: In the debug views `settings` is cleansed, which hides e.g. `SECRET_KEY`. But a lot of sensible information might also be present / come from `request.META`, e.g. in the form of `DJANGO_SECRET_KEY` or `DATABASE_URL`. It might be sensible to apply a filter in `TECHNICAL_500_TEMPLATE` (source code reference: https://github.com/django/django/blob/master/django/views/debug.py#L972-977). I see that this can be quite specific, but I think it would be sensible to apply `HIDDEN_SETTINGS` to all entries starting with `DJANGO_` and have a setting for additional entries, which might default to `DATABASE_URL` and `SENTRY_DSN`. -- -- Ticket URL: <https://code.djangoproject.com/ticket/23004#comment:28> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.f5620a745fa31c33e0269d3d944f72f0%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.