Code

Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#799 closed defect (fixed)

new error templates expose secret keys

Reported by: Ian@… Owned by: adrian
Component: Core (Other) Version:
Severity: major Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

there needs to be a way to NOT print out settings.
in this case SECRET_KEY from the default project,
but also CSRF_MIDDLEWARE_SECRET from other middleware.

maybe variables with the word 'SECRET' in them get printed out as stars?

remember.. this new error template is used by default, so a lot of newbie sites will be vunerable to having thier cookie hijacked. not a nice thing.

marking as a 'major' as it has security implications.

Attachments (0)

Change History (5)

comment:1 Changed 8 years ago by ian@…

add 'PASSWORD' and DATABASE_ to the list of naughty words.
It also exposes the database password.

in fact it might be just easier to *NOT* print out the settings ;(

comment:2 Changed 8 years ago by Esaj

One could argue that it's not a problem since the settings are only printed out if DEBUG is True.

comment:3 Changed 8 years ago by hugo

I think even though it only happens with DEBUG=True it should be secured in a way that doesn't produce potential security leaks. Actually instead of listing settings that should not be shown I would opt for only showing specific settings (and to not put all of them in the list, of course). If the programmer wants to see all settings, he can allways look in his settings file ...

comment:4 Changed 8 years ago by ian@…

good idea hugo.
Esaj. the problem with that thinking is that DEBUG=true is the default setting for a new project ;(

comment:5 Changed 8 years ago by jacob

  • Resolution set to fixed
  • Status changed from new to closed

(In [1242]) Fixed #799: any setting with "SECRET" or "PASSWORD" in the name is escaped in the debug view output (this can be expanded if there are other "naughty words" we want to strip out in the future. Thanks, Ian

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.