Opened 10 years ago

Closed 10 years ago

Last modified 9 years ago

#799 closed defect (fixed)

new error templates expose secret keys

Reported by: Ian@… Owned by: adrian
Component: Core (Other) Version:
Severity: major Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

there needs to be a way to NOT print out settings.
in this case SECRET_KEY from the default project,
but also CSRF_MIDDLEWARE_SECRET from other middleware.

maybe variables with the word 'SECRET' in them get printed out as stars?

remember.. this new error template is used by default, so a lot of newbie sites will be vunerable to having thier cookie hijacked. not a nice thing.

marking as a 'major' as it has security implications.

Change History (5)

comment:1 Changed 10 years ago by ian@…

add 'PASSWORD' and DATABASE_ to the list of naughty words.
It also exposes the database password.

in fact it might be just easier to *NOT* print out the settings ;(

comment:2 Changed 10 years ago by Esaj

One could argue that it's not a problem since the settings are only printed out if DEBUG is True.

comment:3 Changed 10 years ago by hugo

I think even though it only happens with DEBUG=True it should be secured in a way that doesn't produce potential security leaks. Actually instead of listing settings that should not be shown I would opt for only showing specific settings (and to not put all of them in the list, of course). If the programmer wants to see all settings, he can allways look in his settings file ...

comment:4 Changed 10 years ago by ian@…

good idea hugo.
Esaj. the problem with that thinking is that DEBUG=true is the default setting for a new project ;(

comment:5 Changed 10 years ago by jacob

  • Resolution set to fixed
  • Status changed from new to closed

(In [1242]) Fixed #799: any setting with "SECRET" or "PASSWORD" in the name is escaped in the debug view output (this can be expanded if there are other "naughty words" we want to strip out in the future. Thanks, Ian

Note: See TracTickets for help on using tickets.
Back to Top