Opened 2 years ago

Closed 17 months ago

#33606 closed Cleanup/optimization (fixed)

Session ID should be cleansed from error reporting

Reported by: Tobias Bengfort Owned by: Tobias Bengfort
Component: Error reporting Version: 4.0
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

the session ID should be cleansed when reporting errors, just like other credentials. A patch is available at https://github.com/django/django/pull/15352.

See also #29714 and https://groups.google.com/g/django-developers/c/H5hJxpwYFcw.

A quick github search yielded multiple occasions where session IDs ended up in public bug reports:

https://github.com/GibbsConsulting/django-plotly-dash/issues/376
https://github.com/ome/omero-mapr/issues/42
https://github.com/jhelbert/great_teaching_network/issues/220
https://github.com/dzone/osqa/issues/355

I am sure you could find many more. This could potentially be exploited by automatically searching for such requests and hijacking the associated accounts.

Change History (6)

comment:1 by Simon Charette, 2 years ago

Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization

comment:2 by Mariusz Felisiak, 2 years ago

Owner: set to Tobias Bengfort
Status: newassigned

comment:3 by Carlton Gibson, 2 years ago

Needs documentation: set

comment:4 by Tobias Bengfort, 18 months ago

Needs documentation: unset

comment:5 by Carlton Gibson, 17 months ago

Triage Stage: AcceptedReady for checkin

comment:6 by Carlton Gibson <carlton@…>, 17 months ago

Resolution: fixed
Status: assignedclosed

In 350455b6:

Fixed #33606 -- Cleansed sessionid cookie in error reports.

Co-authored-by: Simon Charette <charette.s@…>

Note: See TracTickets for help on using tickets.
Back to Top