Posting some of the discussion from IRC: I've done some recent work with sensitive_post_parameters:
https://github.com/django/django/commit/2daada800f8e28cc1ba664b3008efaefab8fb570 The general lesson I learned was blacklisting isn't a very comprehensive approach and there are definitely ways you can inadvertently leak data. The docs should probably warn against insecure error collection (like email), even if using the sensitive decorators. Patches to improve things would be welcome. I'm hesitant to treat it as a security issue/release blocker, but we can probably backport it to 1.6 at least. On Thursday, October 17, 2013 3:50:21 PM UTC-4, Michael Manfre wrote: > > I just discovered that using > @method_decorator(sensitive_post_parameters()) doesn't properly cleanse > request.POST for all of the traceback frames. Specifically, > method_decorator's inner bound_func leaks the request because it is > contained in the args2 variable and not named request. > > I plan on creating a ticket for this. If this usage is deemed valid, then > it's a pretty serious issue for any site dealing with credit cards and it's > probably a release blocker. If this usage is not valid, then the ticket > will be to update the documentation so that others know not to do that. > > Regards, > Michael Manfre > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8433c3a9-cafe-48cf-ab95-27e48cd1e4c1%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
