Cleanse entries from request.META in debug views
|Reported by:||blueyed||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||yes||Patch needs improvement:||no|
In the debug views settings is cleansed, which hides e.g. SECRET_KEY.
But a lot of sensible information might also be present / come from request.META, e.g. in the form of DJANGO_SECRET_KEY or DATABASE_URL.
It might be sensible to apply a filter in TECHNICAL_500_TEMPLATE (source code reference: https://github.com/django/django/blob/master/django/views/debug.py#L972-977).
I see that this can be quite specific, but I think it would be sensible to apply HIDDEN_SETTINGS to all entries starting with DJANGO_ and have a setting for additional entries, which might default to DATABASE_URL and SENTRY_DSN.
Change History (8)
comment:1 Changed 2 years ago by blueyed
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset