Opened 10 years ago
Closed 10 years ago
#24545 closed Bug (fixed)
sensitive_post_parameters disclosure in csrf_exempt wrapper
| Reported by: | H0neyBadger | Owned by: | nobody |
|---|---|---|---|
| Component: | Uncategorized | Version: | 1.7 |
| Severity: | Normal | Keywords: | sensitive_post_parameters |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hello,
I currently developing on 'Django Rest framework' and I try to hide some parameters in django error report.
Unfortunately, the csrf_exempt method in the Traceback reveals sensitive post data to the admin
I think adding request in the wrapper should do the trick
def wrapped_view(request, *args, **kwargs):
return view_func(request, *args, **kwargs)
Exception filter: SafeExceptionReporterFilter
Decorator : @sensitive_post_parameters
Debug = False
Django 1.7.7
Python 3.4.2
Attachments (1)
Change History (2)
by , 10 years ago
| Attachment: | django error report.png added |
|---|
comment:1 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
It looks like this is addressed in Django 1.8 because HttpRequest.__repr__() no longer includes GET/POST variables; see 788fa9fffa0105d391b8fe35f2894bc5b4e29066.
Note:
See TracTickets
for help on using tickets.
error report example