#18379 closed Bug (fixed)
sensitive_variables handling fails for methods
Reported by: | Gabriel Hurley | Owned by: | Julien Phalip |
---|---|---|---|
Component: | Core (Other) | Version: | 1.4 |
Severity: | Release blocker | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When attempting to decorate a class method with the "sensitive_variables" decorator (both with and without the "method_decorator" decorator) the expectation is that the variables will be properly filtered out.
However, that is not the case due to this line: https://github.com/django/django/blob/master/django/views/debug.py#L159
Since methods do not live in the global namespace, they're not found, and thereby the sensitive_variable stripping is bypassed.
This is non-obvious behavior and should either be documented or fixed to behave as expected.
Change History (7)
comment:1 by , 12 years ago
Owner: | changed from | to
---|
comment:2 by , 12 years ago
Has patch: | set |
---|---|
Needs tests: | set |
comment:3 by , 12 years ago
Owner: | changed from | to
---|---|
Severity: | Normal → Release blocker |
Triage Stage: | Unreviewed → Accepted |
I can confirm this issue, thanks! I'm working on a patch now.
comment:4 by , 12 years ago
Needs tests: | unset |
---|
So I've got a patch here: https://github.com/django/django/pull/106
If we're good to merge it then we should also apply it to 1.4.1, as this is a bug in a security-related feature.
Any reviews welcome.
comment:5 by , 12 years ago
Looks good to me, Julien.
I like that approach. Nice and thorough. +1 on applying it to 1.4.1.
Thanks for carrying this one through to the end.
comment:6 by , 12 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Great, thanks for the review Gabriel!
This was merged in [f699641161a4ec8b6cbee938fd3a4379e7889ff2].
It looks like checking to see if
func
isNone
, and then inspectingf_locals
for"self"
is a viable option to get at the decorated method, but I'm not 100% sure it's the best approach. Frame objects are painful.That solution would look something like this: https://github.com/gabrielhurley/django/compare/sensitive_variables_for_methods