Ticket #17460: hidden_settingsv2.patch

File hidden_settingsv2.patch, 1.7 KB (added by daenney, 13 years ago)

  • docs/ref/settings.txt

     
    758758
    759759If you define custom settings, `django/views/debug.py`_ has a ``HIDDEN_SETTINGS``
    760760regular expression which will hide from the DEBUG view anything that contains
    761 ``'SECRET'``, ``'PASSWORD'``, ``'PROFANITIES'``, or ``'SIGNATURE'``. This allows
    762 untrusted users to be able to give backtraces without seeing sensitive (or
    763 offensive) settings.
     761``'API'``, ``'TOKEN'``, ``'KEY'``, ``'SECRET'``, ``'PASS'``, ``'PROFANITIES'``,
     762or ``'SIGNATURE'``.
     763This allows untrusted users to be able to give backtraces without seeing
     764sensitive (or offensive) settings.
    764765
     766Note that due to how regular expression matching works ``'PASS'`` will also
     767match PASSWORD, just as ``'TOKEN'`` will also match TOKENIZED and so on.
     768
    765769Still, note that there are always going to be sections of your debug output that
    766770are inappropriate for public consumption. File paths, configuration options, and
    767771the like all give attackers extra information about your server.

  • django/views/debug.py

     
    1414from django.utils.importlib import import_module
    1515from django.utils.encoding import smart_unicode, smart_str
    1616
    17 HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE')
     17HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|PROFANITIES_LIST|SIGNATURE')
    1818
    1919CLEANSED_SUBSTITUTE = u'********************'
Back to Top