[Django] #37170: No-argument form of @sensitive_post_parameters() doesn't cleanse request.POST

Mon, 15 Jun 2026 07:56:45 -0700 

#37170: No-argument form of @sensitive_post_parameters() doesn't cleanse
request.POST
-------------------------------------------+------------------------------
               Reporter:  Jacob Walls      |          Owner:  Jacob Walls
                   Type:  Bug              |         Status:  assigned
              Component:  Error reporting  |        Version:  dev
               Severity:  Normal           |       Keywords:  not-security
           Triage Stage:  Unreviewed       |      Has patch:  0
    Needs documentation:  0                |    Needs tests:  0
Patch needs improvement:  0                |  Easy pickings:  0
                  UI/UX:  0                |
-------------------------------------------+------------------------------
 The Security Team closed an informative report about the no-argument form
 of `@sensitive_post_parameters()` not cleansing request.POST, as you can
 see from adjusting this existing test:

 {{{#!diff
 diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py
 index 1986341177..835fe22111 100644
 --- a/tests/view_tests/views.py
 +++ b/tests/view_tests/views.py
 @@ -398,7 +398,7 @@ async def async_sensitive_method_view_nested(request):


  @sensitive_variables("sauce")
 -@sensitive_post_parameters("bacon-key", "sausage-key")
 +@sensitive_post_parameters()
  def multivalue_dict_key_error(request):
      cooked_eggs = "".join(["s", "c", "r", "a", "m", "b", "l", "e", "d"])
 # NOQA
      sauce = "".join(  # NOQA
 }}}
 {{{#!py
 AssertionError: 2 != 0 :'sausage-value' unexpectedly found in the
 following response
 }}}


 ... but the exception reporter filter is not in-scope for security issues,
 as filtering is done on a [https://docs.djangoproject.com/en/dev/howto
 /error-reporting/#filtering-error-reports best-efforts basis].

 Looks like an oversight in #21098.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37170>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019ecbc8c690-08161c14-a83a-41b3-a065-aa7ca2b1c211-000000%40eu-central-1.amazonses.com.

Reply via email to