Opened 19 years ago

Closed 19 years ago

Last modified 18 years ago

#799 closed defect (fixed)

new error templates expose secret keys

Reported by: Ian@… Owned by: Adrian Holovaty
Component: Core (Other) Version:
Severity: major Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

there needs to be a way to NOT print out settings.
in this case SECRET_KEY from the default project,
but also CSRF_MIDDLEWARE_SECRET from other middleware.

maybe variables with the word 'SECRET' in them get printed out as stars?

remember.. this new error template is used by default, so a lot of newbie sites will be vunerable to having thier cookie hijacked. not a nice thing.

marking as a 'major' as it has security implications.

Change History (5)

comment:1 by ian@…, 19 years ago

add 'PASSWORD' and DATABASE_ to the list of naughty words.
It also exposes the database password.

in fact it might be just easier to *NOT* print out the settings ;(

comment:2 by Esaj, 19 years ago

One could argue that it's not a problem since the settings are only printed out if DEBUG is True.

comment:3 by hugo, 19 years ago

I think even though it only happens with DEBUG=True it should be secured in a way that doesn't produce potential security leaks. Actually instead of listing settings that should not be shown I would opt for only showing specific settings (and to not put all of them in the list, of course). If the programmer wants to see all settings, he can allways look in his settings file ...

comment:4 by ian@…, 19 years ago

good idea hugo.
Esaj. the problem with that thinking is that DEBUG=true is the default setting for a new project ;(

comment:5 by Jacob, 19 years ago

Resolution: fixed
Status: newclosed

(In [1242]) Fixed #799: any setting with "SECRET" or "PASSWORD" in the name is escaped in the debug view output (this can be expanded if there are other "naughty words" we want to strip out in the future. Thanks, Ian

Note: See TracTickets for help on using tickets.
Back to Top