I just discovered that using @method_decorator(sensitive_post_parameters()) doesn't properly cleanse request.POST for all of the traceback frames. Specifically, method_decorator's inner bound_func leaks the request because it is contained in the args2 variable and not named request.
I plan on creating a ticket for this. If this usage is deemed valid, then it's a pretty serious issue for any site dealing with credit cards and it's probably a release blocker. If this usage is not valid, then the ticket will be to update the documentation so that others know not to do that. Regards, Michael Manfre -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAGdCwBvDyULgNvcQ6KKOhaeuxiO6_%2Bu3JtWYy7brDakJDr5UNQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
