Context Navigation

← Previous Ticket
Next Ticket →

Opened 13 months ago

Last modified 8 months ago

#35930 assigned Cleanup/optimization

Database password visible on debug page — at Version 2

Reported by:	bytej4ck	Owned by:
Component:	Error reporting	Version:	dev
Severity:	Normal	Keywords:	db, password, exposed
Cc:	bytej4ck	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	yes	Patch needs improvement:	yes
Easy pickings:	no	UI/UX:	no

Description (last modified by bytej4ck)

In debug page view, secrets are not visible due to masked with '*'. When there is mysql db connection error due to unreachable db server: self.connection = self.get_new_connection(conn_params) exposes db password under Local vars dropdown.

    conn_params {'charset': 'utf8mb4',
           'client_flag': 2,
           'conv': {0: <class 'decimal.Decimal'>,
          1: <class 'int'>,
          2: <class 'int'>,
          3: <class 'int'>,
          4: <class 'float'>,
          5: <class 'float'>,
          7: <function DateTime_or_None at 0x7f6218e5b490>,
          8: <class 'int'>,
          9: <class 'int'>,
          10: <function Date_or_None at 0x7f6218e5b640>,
          11: <function typecast_time at 0x7f6219d803a0>,
          12: <function DateTime_or_None at 0x7f6218e5b490>,
          13: <class 'int'>,
          15: <class 'bytes'>,
          245: <class 'bytes'>,
          246: <class 'decimal.Decimal'>,
          249: <class 'bytes'>,
          250: <class 'bytes'>,
          251: <class 'bytes'>,
          252: <class 'bytes'>,
          253: <class 'bytes'>,
          254: <class 'bytes'>,
          <class 'array.array'>: <function array2Str at 0x7f6218e84160>,
          <class 'decimal.Decimal'>: <function Decimal2Literal at 0x7f6218e840d0>,
          <class 'datetime.date'>: <function Thing2Literal at 0x7f6218e84040>,
          <class 'datetime.datetime'>: <function DateTime2literal at 0x7f6218e5b6d0>,
          <class 'datetime.timedelta'>: <function DateTimeDelta2literal at 0x7f6218e5b760>,
          <class 'set'>: <function Set2Str at 0x7f6218e5bd90>,
          <class 'NoneType'>: <function None2NULL at 0x7f6218e5bf40>,
          <class 'int'>: <function Thing2Str at 0x7f6218e5be20>,
          <class 'float'>: <function Float2Str at 0x7f6218e5beb0>,
          <class 'bool'>: <function Bool2Str at 0x7f6218e5bc70>},
 'database': 'test-db',
 'password': 'test_password',
 'unix_socket': '/example/test-db',
 'user': 'example_user'}

Would be better if all db credentials in debug mode should be masked also with '*'.

Change History (3)

by bytej4ck, 13 months ago

Attachment:	2024-11-22_21-17.png added

comment:1 by Tim Graham, 13 months ago

Component:	Uncategorized → Error reporting
Resolution:	→ needsinfo
Status:	new → closed
Type:	Uncategorized → Bug

It's unclear how to reproduce the problem. Please reopen if you can provide a minimal example.

comment:2 by bytej4ck, 13 months ago

Description:	modified (diff)
Resolution:	needsinfo
Status:	closed → new
Summary:	Database password visible on debug page (view source only) → Database password visible on debug page
Version:	4.1

Note: See TracTickets for help on using tickets.

Download in other formats: