SafeExceptionReporterFilter should filter settings and headers such as HTTP_AUTHORIZATION
Following a report from Carlos Pastor:
HTTP_AUTHORIZATION
is not filtered out by django.views.debug.SafeExceptionReporterFilter.get_safe_request_meta.
[...] Many frameworks use this header to store the session tokens, including django-rest-framework when used with the TokenAuthentication class. The token will leak by the default AdminEmailHandler class, as it is stored in this header.
Considering that sensitive data filtering is implemented as a "best effort solution" and that is documented accordingly (see docs), this ticket aims to harden SafeExceptionReporterFilter
.
Change History
(4)
Triage Stage: |
Unreviewed → Accepted
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
Triage Stage: |
Accepted → Ready for checkin
|
In aa907950: