Opened 9 years ago
Closed 9 years ago
#26209 closed New feature (fixed)
Hide lowercase sensitive setting
Reported by: | François Freitag | Owned by: | François Freitag |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
Django provides a cleanse_setting
method[1] that prevents sensitive information from being displayed (for example with the diffsettings
command).
cleanse_settings relies on a case-sensitive regular expression, HIDDEN_SETTINGS [2].
Making HIDDEN_SETTINGS
case-insensitive would be useful to prevent password
to be shown.
1: https://github.com/django/django/blob/9332497701f2c69bf0bb6d38ce59a51ca7abe78d/django/views/debug.py#L40-L62
2: https://github.com/django/django/blob/9332497701f2c69bf0bb6d38ce59a51ca7abe78d/django/views/debug.py#L22
Change History (7)
comment:1 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Summary: | Hide lowercase sensitive information → Hide lowercase sensitive setting |
comment:2 by , 9 years ago
comment:3 by , 9 years ago
Has patch: | set |
---|---|
Needs tests: | set |
Triage Stage: | Unreviewed → Accepted |
I don't see any downside. On the other hand, the convention is to use uppercase names for settings so is the only way to encounter this if you're defining your own lower case settings?
comment:4 by , 9 years ago
That's correct. Something like this was defined:
RABBITMQ = { 'host': 'localhost', 'login': 'guest', 'password': 'guest', }
I was surprised to see that DATABASES
password was hidden, but not RABBITMQ
.
comment:5 by , 9 years ago
Okay, please uncheck "Needs tests" on this ticket when you add one to the pull request. Thanks.
comment:6 by , 9 years ago
Needs tests: | unset |
---|
Corresponding PR: https://github.com/django/django/pull/6122