#36542: AdminSite views (such as login) leak sensitive POST data
--------------------------------+------------------------------------
Reporter: Olivier Dalang | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 5.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+------------------------------------
Changes (by Sarah Boyce):
* component: Error reporting => contrib.admin
* owner: (none) => nobody
* stage: Unreviewed => Accepted
* summary:
Improve default error reports filtering (both HTML email reports when
DEBUG=False and regular reports when DEBUG=True)
=> AdminSite views (such as login) leak sensitive POST data
* type: Uncategorized => Bug
Comment:
Thank you for raising
I have updated the ticket description to reflect the current bug
> In terms of fixing this, why don't we just apply the same filter used
for settings (`API|AUTH|TOKEN|KEY|SECRET|PASS|SIGNATURE|HTTP_COOKIE`) to
POST parameters as well as variables in the full trace ? I feel this would
cover most cases and be quite straightforward to implement and to
understand for users. For that matter, better to redact too many variables
than too few.
This requires more discussion as it's a change in behavior and some folks
are likely to want to see some POST data for debugging.
--
Ticket URL: <https://code.djangoproject.com/ticket/36542#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/010701987eb966ca-ad34529a-363b-4115-b72c-2c3b8e595df7-000000%40eu-central-1.amazonses.com.
