Opened 3 years ago
Closed 3 years ago
#32465 closed Bug (duplicate)
Passwords in env variables should be hidden on debug page like other settings are.
| Reported by: | galt | Owned by: | nobody |
|---|---|---|---|
| Component: | Error reporting | Version: | 3.1 |
| Severity: | Normal | Keywords: | env passwords debug |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hundreds of blog pages tell people to put their settings for database and other passwords and keys
into env variables for easier management, and then settings.py reads those. This is often described as a good way to avoid accidentally checking sensitive settings.py into source code control like git. But then the env variables are exposed in the django debug output with debug=true. Since django already hides 'API|TOKEN|KEY|SECRET|PASS|SIGNATURE' for django settings, it should hide env variables too in the same way.
Currently this problem is not easy to work around.
Having debug=false for production helps protect production servers. But some users use the same db user/password for both development and production systems. So leaking one leaks the other.
On rare occasions, people need to temporarily enable debug on production to solve some quick issue. So fixing the bug would make this safer.
Change History (1)
comment:1 by , 3 years ago
| Component: | Uncategorized → Error reporting |
|---|---|
| Resolution: | → duplicate |
| Status: | new → closed |
I'm guessing you aren't using Django 3.1 which has #23004, but if you are please elaborate on where you see this.