Review Board Ticket #4811: passwords sent in clear-text if login page throws an exception

Thu, 04 Apr 2019 08:53:39 -0700 

------------------------------------------------------------------------------
To reply, visit https://hellosplat.com/s/beanbag/tickets/4811/
------------------------------------------------------------------------------

New ticket #4811 by gwar
For Beanbag, Inc. > Review Board

Status: New
Tags: Priority:Medium, Type:Defect


------------------------------------------------------------------------------
passwords sent in clear-text if login page throws an exception
==============================================================================

# What version are you running?
3.0.14

# What's the URL of the page containing the problem?
login

# What steps will reproduce the problem?
1. Remove the FQDN from ALLOW_HOSTS
2. Restart apache
3. Login


# What is the expected output? What do you see instead?
For the emailed traceback to remove/redact the password

# What operating system are you using? What browser?
not relevant 

# Please provide any additional information below.
Traceback (most recent call last):
 
  File 
"/usr/local/lib/python2.7/dist-packages/Django-1.6.11-py2.7.egg/django/core/handlers/base.py",
 line 180, in get_response
    response = callback(request, **param_dict)
 
  File 
"/usr/local/lib/python2.7/dist-packages/Django-1.6.11-py2.7.egg/django/utils/decorators.py",
 line 95, in _wrapped_view
    result = middleware.process_view(request, view_func, args, kwargs)
 
  File 
"/usr/local/lib/python2.7/dist-packages/Django-1.6.11-py2.7.egg/django/middleware/csrf.py",
 line 156, in process_view
    good_referer = 'https://%s/' % request.get_host()
 
  File 
"/usr/local/lib/python2.7/dist-packages/Django-1.6.11-py2.7.egg/django/http/request.py",
 line 75, in get_host
    raise DisallowedHost(msg)
 
DisallowedHost: Invalid HTTP_HOST header: 'reviewboard-upgrade.sonos.com'.You 
may need to add u'reviewboard-upgrade.sonos.com' to ALLOWED_HOSTS.
 
 
<WSGIRequest
path:/reviews/account/login/,
GET:<QueryDict: {}>,
POST:<QueryDict: {u'username': [u'MY USERNAME'], u'csrfmiddlewaretoken': 
[u'AXfbdwZaxGdfzVfe5HPcVq5gl0Ycs8r0'], u'password': [u'!!!!!MY PASSWORD!!!!!'], 
u'next': [u'']}>,


------------------------------------------------------------------------------

-- 
You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/d/optout.

Reply via email to