id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31451	Settings are cleaned insufficiently.	Markus Holtermann	Ichlasul Affan	"Posting publicly after checking with the rest of the security team.

I just ran into a case where `django.views.debug.SafeExceptionReporterFilter.get_safe_settings()` would return several un-cleansed values. Looking at `cleanse_setting()` I realized that we [https://github.com/django/django/blob/f5ede1cb6da473166d22c04dcbd8240e2a0f223d/django/views/debug.py#L91-L92 only take care of `dict`s] but don't take other types of iterables into account but [https://github.com/django/django/blob/f5ede1cb6da473166d22c04dcbd8240e2a0f223d/django/views/debug.py#L93-L94 return them as-is].

Example:

In my settings.py I have this:

{{{#!python
MY_SETTING = {
    ""foo"": ""value"",
    ""secret"": ""value"",
    ""token"": ""value"",
    ""something"": [
        {""foo"": ""value""},
        {""secret"": ""value""},
        {""token"": ""value""},
    ],
    ""else"": [
        [
            {""foo"": ""value""},
            {""secret"": ""value""},
            {""token"": ""value""},
        ],
        [
            {""foo"": ""value""},
            {""secret"": ""value""},
            {""token"": ""value""},
        ],
    ]
}
}}}

On Django 3.0 and below:

{{{#!python
>>> import pprint
>>> from django.views.debug import get_safe_settings
>>> pprint.pprint(get_safe_settings()[""MY_SETTING""])
{'else': [[{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}],
          [{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}]],
 'foo': 'value',
 'secret': '********************',
 'something': [{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}],
 'token': '********************'}
}}}

On Django 3.1 and up:

{{{#!python
>>> from django.views.debug import SafeExceptionReporterFilter
>>> import pprint
>>> pprint.pprint(SafeExceptionReporterFilter().get_safe_settings()[""MY_SETTING""])
{'else': [[{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}],
          [{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}]],
 'foo': 'value',
 'secret': '********************',
 'something': [{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}],
 'token': '********************'}
}}}"	Cleanup/optimization	closed	Error reporting	dev	Normal	fixed			Ready for checkin	1	0	0	0	0	0