new error templates expose secret keys
|Reported by:||Ian@…||Owned by:||adrian|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
there needs to be a way to NOT print out settings.
in this case SECRET_KEY from the default project,
but also CSRF_MIDDLEWARE_SECRET from other middleware.
maybe variables with the word 'SECRET' in them get printed out as stars?
remember.. this new error template is used by default, so a lot of newbie sites will be vunerable to having thier cookie hijacked. not a nice thing.
marking as a 'major' as it has security implications.