Django already attempt to mask security-sensitive settings in the debug page.
It would make sense to do the same by default for the output of diffsetting: obfuscate secrets. A --include-secrets flag (on any other name) would show the secrets. -- Aymeric. > On 12 Jun 2020, at 13:59, Jure Erznožnik <jure.erznoz...@gmail.com> wrote: > > There was a GSoC proposal > <https://groups.google.com/forum/#!searchin/django-developers/gsoc$20secrets$20manager%7Csort:date/django-developers/BUr4VgRI33U/q6GUUZczBQAJ> > this year for a SecretsManager that could conceivably make what you suggest > possible. Wasn't accepted though. > > Not sure if it's a security issue with beginners that require help setting up > settings.py though. Should be easy enough to just paste the file (modified) > somewhere. > > LP, > Jure > > On 12/06/2020 13:51, René Fleschenberg wrote: >> Hi, >> >> Just a thought that came to my mind: It would be useful to have a >> command that dumps the run-time settings, but automatically replaces >> secrets with dummy values. >> >> I think this should not be too hard to do for Django's own secret >> settings, and maybe it can also be done for some known common third >> party settings (AWS_SECRET_ACCESS_KEY, for example). >> >> Even better would be to have a standardized way of marking settings as >> secret, though I am not sure if this is feasible. >> >> Regards, >> René >> >> On 6/12/20 5:09 AM, '1337 Shadow Hacker' via Django developers >> (Contributions to Django itself) wrote: >>> Hi all, >>> >>> So, just on #django IRC channel there was a user trying to help another >>> one, asking for some settings through ./manage.py shell etc ... A >>> discussion that went kind of like "Print out your settings" "How would I >>> print, I tried that, I'm in settings.py" "With ... print()" "but in the >>> shell, __file__ is not defined" and so on, and 20 minutes later the user >>> couldn't print his settings and left. >>> >>> TBH I'm pretty fine because the users I support are on projects where I >>> added djcli to the requirements, so I can always ask the to do the djcli >>> setting command to print out a setting. It's very useful useful to me, I >>> think Django should a command to dump runtime settings because that >>> should make the life easier of Django users trying to support newbies in >>> their own projects, where they don't have installed a custom command, >>> it's pretty cheap to make and maintain and should save quite some >>> frustration from both sides of the story. >>> >>> What do you think ? >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django developers (Contributions to Django itself)" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to django-developers+unsubscr...@googlegroups.com >>> <mailto:django-developers+unsubscr...@googlegroups.com> >>> <mailto:django-developers+unsubscr...@googlegroups.com> >>> <mailto:django-developers+unsubscr...@googlegroups.com>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-developers/X2HkH0yasxu2XVxBuVkbTfdSHctL7y3pW9seQ8CHFcVOpmsiyN80JlDYH2g5F6IfPvEdN4zyG6vuxj2HEMJaXUSErMUM5IT70iLvkxsrc7U%3D%40protonmail.com >>> >>> <https://groups.google.com/d/msgid/django-developers/X2HkH0yasxu2XVxBuVkbTfdSHctL7y3pW9seQ8CHFcVOpmsiyN80JlDYH2g5F6IfPvEdN4zyG6vuxj2HEMJaXUSErMUM5IT70iLvkxsrc7U%3D%40protonmail.com> >>> <https://groups.google.com/d/msgid/django-developers/X2HkH0yasxu2XVxBuVkbTfdSHctL7y3pW9seQ8CHFcVOpmsiyN80JlDYH2g5F6IfPvEdN4zyG6vuxj2HEMJaXUSErMUM5IT70iLvkxsrc7U%3D%40protonmail.com?utm_medium=email&utm_source=footer> >>> >>> <https://groups.google.com/d/msgid/django-developers/X2HkH0yasxu2XVxBuVkbTfdSHctL7y3pW9seQ8CHFcVOpmsiyN80JlDYH2g5F6IfPvEdN4zyG6vuxj2HEMJaXUSErMUM5IT70iLvkxsrc7U%3D%40protonmail.com?utm_medium=email&utm_source=footer>. > > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com > <mailto:django-developers+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/4370f935-9d2d-283d-3156-14c878fc1c93%40gmail.com > > <https://groups.google.com/d/msgid/django-developers/4370f935-9d2d-283d-3156-14c878fc1c93%40gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/A8423AE2-2149-4948-88DC-59E503B6F235%40polytechnique.org.
