#33090: Extend sensitive post parameter filtering to be applicable to
exceptions in
middleware.
-------------------------------------------+------------------------
Reporter: Carlton Gibson | Owner: (none)
Type: New feature | Status: new
Component: Error reporting | Version: 3.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
With the current implement of the `@sensitive_post_parameters` decorator,
the request is not marked until the view is executed. This means that the
filtering cannot be applied to reports generated by exceptions in the
middleware.
Filtering is always best-effort, and
[https://docs.djangoproject.com/en/3.2/howto/error-reporting/#filtering-
error-reports all the usual caveats apply] but discussion by the Django
Security Team suggests that it would be feasible mark the request before
processing the middleware, thus allowing the filtering in error reports
even for middleware exceptions.
The first step would be to adjust `sensitive_post_parameters` to mark the
view callback:
{{{
diff --git a/django/views/decorators/debug.py
b/django/views/decorators/debug.py
index 312269baba..faa6eeb107 100644
--- a/django/views/decorators/debug.py
+++ b/django/views/decorators/debug.py
@@ -88,5 +88,7 @@ def sensitive_post_parameters(*parameters):
else:
request.sensitive_post_parameters = '__ALL__'
return view(request, *args, **kwargs)
+ # Mark the wrapped view itself in case of middleware errors.
+ sensitive_post_parameters_wrapper.sensitive_post_parameters =
parameters or '__ALL__'
return sensitive_post_parameters_wrapper
return decorator
}}}
And then have the request marked prior to processing the middleware:
{{{
diff --git a/django/core/handlers/base.py b/django/core/handlers/base.py
index 728e449703..260200d5d7 100644
--- a/django/core/handlers/base.py
+++ b/django/core/handlers/base.py
@@ -218,6 +218,10 @@ class BaseHandler:
response = None
callback, callback_args, callback_kwargs =
self.resolve_request(request)
+ # Mark the request with sensitive_post_parameters if applied.
+ if hasattr(callback, 'sensitive_post_parameters'):
+ request.sensitive_post_parameters =
callback.sensitive_post_parameters
+
# Apply view middleware.
for middleware_method in self._view_middleware:
response = await middleware_method(request, callback,
callback_args, callback_kwargs)
}}}
For this last, similar would be required for the async pathway.
Then it would require tests and ancillary cleanup.
--
Ticket URL: <https://code.djangoproject.com/ticket/33090>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/056.21889bc97e4487e55c389058658aee67%40djangoproject.com.
