id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31077	Add a safeguard to debug decorators (sensitive_variables/sensitive_post_parameters) to prevent incorrect usage.	Baptiste Mispelon	Mariusz Felisiak <felisiak.mariusz@…>	"While trying to reproduce ticket:26480#comment:5, I noticed that Django happily lets you write this kind of code:

{{{
#!python
@sensitive_variables # incorrect usage, should be @sensitive_variables()
def is_password_ok(password):
    return len(password) > 8
}}}

It's very easy to miss that you forgot the `()`. Most of the time it's not really dangerous because the decorated function will be unusable but in this case, the consequences are pretty nasty:

{{{
#!python
>>> bool(is_password_ok('asdf'))
True  # you would expect False because len('asdf') < 8
}}}

I propose adding some code to both `sensitive_variables()` and `sensitive_post_parameters()` that catches this misuse to prevent users from decorating their functions incorrectly.
Because both decorators take either no arguments or only string arguments, it's not too hard to detect the error with something like this:
{{{
#!python
def sensitive_variables(*variables):
    if len(variables) == 1 and callable(variables[0]):
        raise TypeError(...)
    # ...
}}}

This should be fully backwards compatible and in most cases it will raise the error at import time which should make things easier to fix for those who've incorrectly used the decorator.


(I've confirmed with the security team that this does not need to be treated as a security issue)"	Cleanup/optimization	closed	Error reporting	dev	Normal	fixed			Accepted	1	0	0	0	0	0