Opened 3 weeks ago

Closed 2 weeks ago

Last modified 2 weeks ago

#37170 closed Bug (fixed)

No-argument form of @sensitive_post_parameters() doesn't cleanse request.POST

Reported by: Jacob Walls Owned by: Jacob Walls
Component: Error reporting Version: dev
Severity: Normal Keywords: not-security
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Jacob Walls)

The Security Team closed an informative report about the no-argument form of @sensitive_post_parameters() not cleansing request.POST, as you can see from adjusting this existing test:

  • tests/view_tests/views.py

    diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py
    index 1986341177..835fe22111 100644
    a b async def async_sensitive_method_view_nested(request):  
    398398
    399399
    400400@sensitive_variables("sauce")
    401 @sensitive_post_parameters("bacon-key", "sausage-key")
     401@sensitive_post_parameters()
    402402def multivalue_dict_key_error(request):
    403403    cooked_eggs = "".join(["s", "c", "r", "a", "m", "b", "l", "e", "d"])  # NOQA
    404404    sauce = "".join(  # NOQA
AssertionError: 2 != 0 :'sausage-value' unexpectedly found in the following response

... but the exception reporter filter is not in-scope for security issues, as filtering is done on a best-efforts basis.

Looks like an oversight in #21098.

Thanks LocalHost for the report.

Change History (6)

comment:1 by Jacob Walls, 3 weeks ago

Description: modified (diff)

comment:2 by Natalia Bidart, 3 weeks ago

Triage Stage: UnreviewedAccepted

comment:3 by Jacob Walls, 3 weeks ago

Has patch: set

comment:4 by Natalia Bidart, 2 weeks ago

Triage Stage: AcceptedReady for checkin

comment:5 by Jacob Walls <jacobtylerwalls@…>, 2 weeks ago

Resolution: fixed
Status: assignedclosed

In 56050ac:

Fixed #37170 -- Applied the no-argument form of sensitive_post_parameters to MultiValueDict.

comment:6 by Jacob Walls <jacobtylerwalls@…>, 2 weeks ago

In 553c0827:

[6.1.x] Fixed #37170 -- Applied the no-argument form of sensitive_post_parameters to MultiValueDict.

Backport of 56050acb96abc7ac2079d83ffdd232056732bb47 from main.

Note: See TracTickets for help on using tickets.
Back to Top