Opened 12 years ago
Last modified 12 years ago
#21098 closed Bug
MultiValueDictKeyError leaks sensitive POST data — at Initial Version
| Reported by: | Simon Percivall | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Other) | Version: | dev |
| Severity: | Release blocker | Keywords: | |
| Cc: | Jonas Borgström | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Getting an error in MultiValueDict on a POST, such as doing request.POSTfoo, will leak the POST data without any escaping by Django, i.e. the MultiValueDictKeyError contains an unescaped repr of request.POST, no matter if you've added for instance @sensitive_post_parameters("password").
Note:
See TracTickets
for help on using tickets.