id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31604	"Should SafeExceptionReporterFilter cleanse setting keys whose name matches ""URL"" in part, too?"	Sebastian Pipping		"Hi!

Since #23004 is fixed (commit 581ba5a9486ed73cb81031d85b3ce1b27a960109, Django 3.1a1 and later) setting `.DEFAULT_EXCEPTION_REPORTER_FILTER` allows customizing the filter that hides away values of variables whose name match a certain pattern, `API|TOKEN|KEY|SECRET|PASS|SIGNATURE` (ignoring case) by default. So if I want to filter away more than the default, I could do that for my own Django project.

I noticed that `URL` is not in that list while people seem to put credentials into the authority part of URLs — not just database URLs but also RabbitMQ and Celery connection URLs, used in so-called ""development environments"" with `DEBUG=True` enabled, accessible by public internet. While the real fix is `DEBUG=False` of course, I consider getting more people on safe ground. Filtering URLs away altogether is probably inconvenient and maybe more than needed. I consider adding code to parse URLs, replace user and password by `SafeExceptionReporterFilter.cleansed_substitute` each where present, and display the result for a value.

Would that be considered an anti-feature or should I go for a pull request?

Best, Sebastian"	Uncategorized	closed	Error reporting	dev	Normal	wontfix	security debug	Sebastian Pipping	Unreviewed	1	0	0	0	0	0