#33606: Session ID should be cleansed from error reporting
-------------------------------------------+------------------------
Reporter: Tobias Bengfort | Owner: (none)
Type: Bug | Status: new
Component: Error reporting | Version: 4.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
the session ID should be cleansed when reporting errors, just like other
credentials. A patch is available at
https://github.com/django/django/pull/15352.
See also #29714 and https://groups.google.com/g/django-
developers/c/H5hJxpwYFcw.
A quick github search yielded multiple occasions where session IDs ended
up in public bug reports:
https://github.com/GibbsConsulting/django-plotly-dash/issues/376
https://github.com/ome/omero-mapr/issues/42
https://github.com/jhelbert/great_teaching_network/issues/220
https://github.com/dzone/osqa/issues/355
I am sure you could find many more. This could potentially be exploited
by automatically searching for such requests and hijacking the associated
accounts.
--
Ticket URL: <https://code.djangoproject.com/ticket/33606>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107017fda48ceae-0bda24b5-170f-4195-8495-24b47d538e82-000000%40eu-central-1.amazonses.com.
