[Django] #35646: SafeExceptionReporterFilter should filter settings and headers such as HTTP_AUTHORIZATION

2024-07-31 Thread Django
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-+-
   Reporter:  Natalia|  Owner:  Natalia Bidart
  Bidart |
   Type: | Status:  assigned
  Cleanup/optimization   |
  Component:  Error  |Version:  dev
  reporting  |
   Severity:  Normal |   Keywords:
   Triage Stage: |  Has patch:  0
  Unreviewed |
Needs documentation:  0  |Needs tests:  0
Patch needs improvement:  0  |  Easy pickings:  0
  UI/UX:  0  |
-+-
 Following a report from Carlos Pastor:

 > `HTTP_AUTHORIZATION` is not filtered out by
 django.views.debug.SafeExceptionReporterFilter.get_safe_request_meta.
 > [...] Many frameworks use this header to store the session tokens,
 including django-rest-framework when used with the TokenAuthentication
 class. The token will leak by the default AdminEmailHandler class, as it
 is stored in this header.

 Considering that sensitive data filtering is implemented as a "best effort
 solution" and that is documented accordingly (see
 [https://docs.djangoproject.com/en/dev/howto/error-reporting/#filtering-
 error-reports docs]), this ticket aims to harden
 `SafeExceptionReporterFilter`.
-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070191091f1656-60860e86-7b6e-40e1-abc7-29c8030b3348-00%40eu-central-1.amazonses.com.


Re: [Django] #35646: SafeExceptionReporterFilter should filter settings and headers such as HTTP_AUTHORIZATION

2024-07-31 Thread Django
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-+-
 Reporter:  Natalia Bidart   |Owner:  Natalia
 Type:   |  Bidart
  Cleanup/optimization   |   Status:  assigned
Component:  Error reporting  |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
 |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Natalia Bidart):

 * has_patch:  0 => 1

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070191094363b2-d267c245-a457-42b2-895d-ce00d7f25637-00%40eu-central-1.amazonses.com.


Re: [Django] #35646: SafeExceptionReporterFilter should filter settings and headers such as HTTP_AUTHORIZATION

2024-07-31 Thread Django
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-+-
 Reporter:  Natalia Bidart   |Owner:  Natalia
 Type:   |  Bidart
  Cleanup/optimization   |   Status:  assigned
Component:  Error reporting  |  Version:  dev
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Sarah Boyce):

 * stage:  Unreviewed => Accepted

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701910985a900-c809cb35-eaac-49c5-80e1-6cddf43801be-00%40eu-central-1.amazonses.com.


Re: [Django] #35646: SafeExceptionReporterFilter should filter settings and headers such as HTTP_AUTHORIZATION

2024-08-01 Thread Django
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-+-
 Reporter:  Natalia Bidart   |Owner:  Natalia
 Type:   |  Bidart
  Cleanup/optimization   |   Status:  closed
Component:  Error reporting  |  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by nessita <124304+nessita@…>):

 * resolution:   => fixed
 * status:  assigned => closed

Comment:

 In [changeset:"aa9079505082d92d4ee5dc6a4adca056422422ed" aa907950]:
 {{{#!CommitTicketReference repository=""
 revision="aa9079505082d92d4ee5dc6a4adca056422422ed"
 Fixed #35646 -- Extended SafeExceptionReporterFilter.hidden_settings to
 treat `AUTH` as a sensitive match.

 Co-authored-by: Natalia <124304+ness...@users.noreply.github.com>
 }}}
-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701910f1b3062-6b37eb4e-0790-4bd8-96aa-74f1a430aeca-00%40eu-central-1.amazonses.com.


Re: [Django] #35646: SafeExceptionReporterFilter should filter settings and headers such as HTTP_AUTHORIZATION

2024-08-06 Thread Django
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-+-
 Reporter:  Natalia Bidart   |Owner:  Natalia
 Type:   |  Bidart
  Cleanup/optimization   |   Status:  closed
Component:  Error reporting  |  Version:  dev
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Natalia Bidart):

 * stage:  Accepted => Ready for checkin

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701912799d324-9d2396f1-18fa-481c-856b-941da104f666-00%40eu-central-1.amazonses.com.