#799 closed defect (fixed)
new error templates expose secret keys
Reported by: | Owned by: | Adrian Holovaty | |
---|---|---|---|
Component: | Core (Other) | Version: | |
Severity: | major | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
there needs to be a way to NOT print out settings.
in this case SECRET_KEY from the default project,
but also CSRF_MIDDLEWARE_SECRET from other middleware.
maybe variables with the word 'SECRET' in them get printed out as stars?
remember.. this new error template is used by default, so a lot of newbie sites will be vunerable to having thier cookie hijacked. not a nice thing.
marking as a 'major' as it has security implications.
Change History (5)
comment:1 by , 19 years ago
comment:2 by , 19 years ago
One could argue that it's not a problem since the settings are only printed out if DEBUG is True.
comment:3 by , 19 years ago
I think even though it only happens with DEBUG=True it should be secured in a way that doesn't produce potential security leaks. Actually instead of listing settings that should not be shown I would opt for only showing specific settings (and to not put all of them in the list, of course). If the programmer wants to see all settings, he can allways look in his settings file ...
comment:4 by , 19 years ago
good idea hugo.
Esaj. the problem with that thinking is that DEBUG=true is the default setting for a new project ;(
comment:5 by , 19 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
add 'PASSWORD' and DATABASE_ to the list of naughty words.
It also exposes the database password.
in fact it might be just easier to *NOT* print out the settings ;(