id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 7472,Potentially sensitive information leaked if an error occurs when a page is served over HTTPS,Fraser Nevett,nobody,"If an error occurs while processing a request, Django sends an email to those defined in `settings.ADMIN`. This email contains a `repr` of the request object, which includes GET and POST data amongst other things. If the request came in over HTTP'''S''' then potentially very sensitive information could be leaked as plain text in the email. HTTPS is designed to secure the transmission of the data between the browser and the server. The issue here is that the contents of Django's error email is not encrypted, so that as it travels from the web server to the admins' email servers it is in plain text form which any ""man in the middle"" could read. The attached patch simply omits the request details if HTTPS was used. I've discussed this with Jacob on the security mailing list and he's asked me to raise a ticket with this patch and assign it as 1.0 item.",,closed,HTTP handling,dev,,wontfix,,me@…,Accepted,1,0,0,0,0,0