id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33090	Extend sensitive post parameter filtering to be applicable to exceptions in middleware.	Carlton Gibson		"With the current implement of the `@sensitive_post_parameters` decorator, the request is not marked until the view is executed. This means that the filtering cannot be applied to reports generated by exceptions in the middleware. 

Filtering is always best-effort, and [https://docs.djangoproject.com/en/3.2/howto/error-reporting/#filtering-error-reports all the usual caveats apply] but discussion by the Django Security Team suggests that it would be feasible mark the request before processing the middleware, thus allowing the filtering in error reports even for middleware exceptions. 

The first step would be to adjust `sensitive_post_parameters` to mark the view callback: 

{{{
diff --git a/django/views/decorators/debug.py b/django/views/decorators/debug.py
index 312269baba..faa6eeb107 100644
--- a/django/views/decorators/debug.py
+++ b/django/views/decorators/debug.py
@@ -88,5 +88,7 @@ def sensitive_post_parameters(*parameters):
             else:
                 request.sensitive_post_parameters = '__ALL__'
             return view(request, *args, **kwargs)
+        # Mark the wrapped view itself in case of middleware errors.
+        sensitive_post_parameters_wrapper.sensitive_post_parameters = parameters or '__ALL__'
         return sensitive_post_parameters_wrapper
     return decorator
}}}

And then have the request marked prior to processing the middleware: 

{{{
diff --git a/django/core/handlers/base.py b/django/core/handlers/base.py
index 728e449703..260200d5d7 100644
--- a/django/core/handlers/base.py
+++ b/django/core/handlers/base.py
@@ -218,6 +218,10 @@ class BaseHandler:
         response = None
         callback, callback_args, callback_kwargs = self.resolve_request(request)
 
+        # Mark the request with sensitive_post_parameters if applied.
+        if hasattr(callback, 'sensitive_post_parameters'):
+            request.sensitive_post_parameters = callback.sensitive_post_parameters
+
         # Apply view middleware.
         for middleware_method in self._view_middleware:
             response = await middleware_method(request, callback, callback_args, callback_kwargs)
}}}

For this last, similar would be required for the async pathway. 

Then it would require tests and ancillary cleanup. "	New feature	new	Error reporting	3.2	Normal				Unreviewed	0	0	0	0	0	0