Opened 8 years ago

Closed 8 years ago

#26209 closed New feature (fixed)

Hide lowercase sensitive setting

Reported by: François Freitag Owned by: François Freitag
Component: Utilities Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Django provides a cleanse_setting method[1] that prevents sensitive information from being displayed (for example with the diffsettings command).

cleanse_settings relies on a case-sensitive regular expression, HIDDEN_SETTINGS [2].
Making HIDDEN_SETTINGS case-insensitive would be useful to prevent password to be shown.

1: https://github.com/django/django/blob/9332497701f2c69bf0bb6d38ce59a51ca7abe78d/django/views/debug.py#L40-L62
2: https://github.com/django/django/blob/9332497701f2c69bf0bb6d38ce59a51ca7abe78d/django/views/debug.py#L22

Change History (7)

comment:1 by François Freitag, 8 years ago

Owner: changed from nobody to François Freitag
Status: newassigned
Summary: Hide lowercase sensitive informationHide lowercase sensitive setting

comment:2 by François Freitag, 8 years ago

comment:3 by Tim Graham, 8 years ago

Has patch: set
Needs tests: set
Triage Stage: UnreviewedAccepted

I don't see any downside. On the other hand, the convention is to use uppercase names for settings so is the only way to encounter this if you're defining your own lower case settings?

comment:4 by François Freitag, 8 years ago

That's correct. Something like this was defined:

RABBITMQ = {
    'host': 'localhost',
    'login': 'guest',
    'password': 'guest',
}

I was surprised to see that DATABASES password was hidden, but not RABBITMQ.

comment:5 by Tim Graham, 8 years ago

Okay, please uncheck "Needs tests" on this ticket when you add one to the pull request. Thanks.

comment:6 by François Freitag, 8 years ago

Needs tests: unset

comment:7 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In 16a88b44:

Fixed #26209 -- Masked sensitive settings in debug reports regardless of case.

Note: See TracTickets for help on using tickets.
Back to Top