Opened 9 years ago
Closed 9 years ago
#26209 closed New feature (fixed)
Hide lowercase sensitive setting
| Reported by: | François Freitag | Owned by: | François Freitag |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
Django provides a cleanse_setting method[1] that prevents sensitive information from being displayed (for example with the diffsettings command).
cleanse_settings relies on a case-sensitive regular expression, HIDDEN_SETTINGS [2].
Making HIDDEN_SETTINGS case-insensitive would be useful to prevent password to be shown.
1: https://github.com/django/django/blob/9332497701f2c69bf0bb6d38ce59a51ca7abe78d/django/views/debug.py#L40-L62
2: https://github.com/django/django/blob/9332497701f2c69bf0bb6d38ce59a51ca7abe78d/django/views/debug.py#L22
Change History (7)
comment:1 by , 9 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
| Summary: | Hide lowercase sensitive information → Hide lowercase sensitive setting |
comment:2 by , 9 years ago
comment:3 by , 9 years ago
| Has patch: | set |
|---|---|
| Needs tests: | set |
| Triage Stage: | Unreviewed → Accepted |
I don't see any downside. On the other hand, the convention is to use uppercase names for settings so is the only way to encounter this if you're defining your own lower case settings?
comment:4 by , 9 years ago
That's correct. Something like this was defined:
RABBITMQ = { 'host': 'localhost', 'login': 'guest', 'password': 'guest', }
I was surprised to see that DATABASES password was hidden, but not RABBITMQ.
comment:5 by , 9 years ago
Okay, please uncheck "Needs tests" on this ticket when you add one to the pull request. Thanks.
comment:6 by , 9 years ago
| Needs tests: | unset |
|---|
Corresponding PR: https://github.com/django/django/pull/6122