Code

Opened 3 years ago

Closed 3 years ago

#16874 closed Cleanup/optimization (wontfix)

Security issue: settings.py stores password+username in plain-text

Reported by: AlecTaylor Owned by: nobody
Component: Core (Other) Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Good evening,

I've just begun learning DJango when I noticed settings.py stores password+username in plain-text.

Please fix this (i.e. by implementing something with PyOpenSSL or I can write a frontend in C++)

Thanks,

Alec Taylor

Attachments (0)

Change History (2)

comment:1 Changed 3 years ago by aaugustin

  • Component changed from Database layer (models, ORM) to Core (Other)
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Severity changed from Release blocker to Normal
  • Triage Stage changed from Unreviewed to Design decision needed
  • Type changed from Uncategorized to Cleanup/optimization

settings.py is a regular python file, you can implement the password loading mechanism that best suits your needs. However, I think it's unrealistic to try to develop a one-size-fits-all password storage mechanism. There are too many uses of Django.

The (POSIX) user under which the application runs needs access to the password anyway, so it's hard to provide much more security than chowning settings.py to this user and chmodding to 400.

Marking as DDN, but I think core devs will say "wontfix".

Thanks for the suggestion!

comment:2 Changed 3 years ago by russellm

  • Resolution set to wontfix
  • Status changed from new to closed
  1. First off, *PLEASE* don't report security issues to Trac. If you think you have found a security issue, it should be reported to security@…, just like it says on the new ticket page.
  1. Like aaugustin says, this isn't a security issue. If an attacker is in a position where they can read your settings.py file, the battle is already lost.
  1. If you still want to use a different authentication method, you have that flexibility. The only part of settings.py that specifies a username and password is the database backend, and they are plugabble, so you can implement your own backend with your own authentication method if you want.

If you implement a pluggable backend with a custom authentication scheme and want to contribute it to trunk, we *might* consider adding it to trunk (depending on complexity, efficacy, etc), but otherwise, having this as an open ticket won't actually progress anything. Marking wontfix, as aaugustin suggested.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.