Re: [Django] #16874: Security issue: settings.py stores password+username in plain-text

Sun, 18 Sep 2011 17:00:55 -0700 

#16874: Security issue: settings.py stores password+username in plain-text
-------------------------------------+-------------------------------------
               Reporter:             |          Owner:  nobody
  AlecTaylor                         |         Status:  closed
                   Type:             |      Component:  Core (Other)
  Cleanup/optimization               |       Severity:  Normal
              Milestone:             |       Keywords:
                Version:  SVN        |      Has patch:  0
             Resolution:  wontfix    |    Needs tests:  0
           Triage Stage:  Design     |  Easy pickings:  0
  decision needed                    |
    Needs documentation:  0          |
Patch needs improvement:  0          |
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
Changes (by russellm):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 1. First off, *PLEASE* don't report security issues to Trac. If you think
 you have found a security issue, it should be reported to
 secur...@djangoproject.com, just like it says on the
 [https://code.djangoproject.com/newticket new ticket page].

  2. Like aaugustin says, this isn't a security issue. If an attacker is in
 a position where they can read your settings.py file, the battle is
 already lost.

  3. If you still want to use a different authentication method, you have
 that flexibility. The only part of settings.py that specifies a username
 and password is the database backend, and they are plugabble, so you can
 implement your own backend with your own authentication method if you
 want.

 If you implement a pluggable backend with a custom authentication scheme
 and want to contribute it to trunk, we *might* consider adding it to trunk
 (depending on complexity, efficacy, etc), but otherwise, having this as an
 open ticket won't actually progress anything. Marking wontfix, as
 aaugustin suggested.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/16874#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to