Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#35646 closed Cleanup/optimization (fixed)

SafeExceptionReporterFilter should filter settings and headers such as HTTP_AUTHORIZATION

Reported by: Natalia Bidart Owned by: Natalia Bidart
Component: Error reporting Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Following a report from Carlos Pastor:

HTTP_AUTHORIZATION is not filtered out by django.views.debug.SafeExceptionReporterFilter.get_safe_request_meta.
[...] Many frameworks use this header to store the session tokens, including django-rest-framework when used with the TokenAuthentication class. The token will leak by the default AdminEmailHandler class, as it is stored in this header.

Considering that sensitive data filtering is implemented as a "best effort solution" and that is documented accordingly (see docs), this ticket aims to harden SafeExceptionReporterFilter.

Change History (4)

comment:1 by Natalia Bidart, 3 months ago

Has patch: set

comment:2 by Sarah Boyce, 3 months ago

Triage Stage: UnreviewedAccepted

comment:3 by nessita <124304+nessita@…>, 3 months ago

Resolution: fixed
Status: assignedclosed

In aa907950:

Fixed #35646 -- Extended SafeExceptionReporterFilter.hidden_settings to treat AUTH as a sensitive match.

Co-authored-by: Natalia <124304+nessita@…>

comment:4 by Natalia Bidart, 3 months ago

Triage Stage: AcceptedReady for checkin
Note: See TracTickets for help on using tickets.
Back to Top