id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23951	SafeExceptionReporterFilter does not have a way to filter and redact exception messages	Lukhnos Liu	nobody	"SafeExceptionReporterFilter provides methods that filter things like POST parameters and traceback variables. However, there does not seem to be a way to filter and redact the exception message itself. Here is an example:

{{{
IntegrityError: null value in column ""some_column"" violates not-null constraint
DETAIL:  Failing row contains (1, 2014-11-10 15:32:29.791438-08, Foo, Bar, null, foobar@example.org, t, null, , , 10000.00, 1, 1000.00).
}}}

This error is raised by the PostgreSQL backend, which in turn uses psycopg2's IntegrityError, which in turn reports PostgreSQL's own error verbatim. Because it dumps the entire row, this means potentially sensitive information is leaked into logs.

Note that I use a SafeExceptionReporterFilter subclass as my DEFAULT_EXCEPTION_REPORTER_FILTER, so I'm already doing some extra filtering in its get_post_parameters and get_traceback_frame_variables methods.

From the source code, it appears that the exception message is included here: https://github.com/django/django/blob/4a4ad27712b44cebada1bdaebd082cf82df74610/django/views/debug.py#L504. This lives in ExceptionReporter, not the filter. One can run their own Django fork and do something in that method, or patch it during runtime from their project. It may still be better to redact on the filter level, though.

To sum up, I believe there needs to be a way to filter exception messages, so that apps get a chance to pattern-match and redact strings that potentially contain sensitive information.
"	New feature	closed	Error reporting	dev	Normal	duplicate	logging		Accepted	0	0	0	0	0	0