Opened 71 minutes ago
Last modified 61 minutes ago
#37170 assigned Bug
No-argument form of @sensitive_post_parameters() doesn't cleanse request.POST
| Reported by: | Jacob Walls | Owned by: | Jacob Walls |
|---|---|---|---|
| Component: | Error reporting | Version: | dev |
| Severity: | Normal | Keywords: | not-security |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The Security Team closed an informative report about the no-argument form of @sensitive_post_parameters() not cleansing request.POST, as you can see from adjusting this existing test:
-
tests/view_tests/views.py
diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py index 1986341177..835fe22111 100644
a b async def async_sensitive_method_view_nested(request): 398 398 399 399 400 400 @sensitive_variables("sauce") 401 @sensitive_post_parameters( "bacon-key", "sausage-key")401 @sensitive_post_parameters() 402 402 def multivalue_dict_key_error(request): 403 403 cooked_eggs = "".join(["s", "c", "r", "a", "m", "b", "l", "e", "d"]) # NOQA 404 404 sauce = "".join( # NOQA
AssertionError: 2 != 0 :'sausage-value' unexpectedly found in the following response
... but the exception reporter filter is not in-scope for security issues, as filtering is done on a best-efforts basis.
Looks like an oversight in #21098.
Thanks LocalHost for the report.
Change History (2)
comment:1 by , 69 minutes ago
| Description: | modified (diff) |
|---|
comment:2 by , 61 minutes ago
| Triage Stage: | Unreviewed → Accepted |
|---|
Note:
See TracTickets
for help on using tickets.