#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia | Owner: Natalia Bidart
Bidart |
Type: | Status: assigned
Cleanup/optimization |
Component: Error | Version: dev
reporting |
Severity: Normal | Keywords:
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Following a report from Carlos Pastor:
> `HTTP_AUTHORIZATION` is not filtered out by
django.views.debug.SafeExceptionReporterFilter.get_safe_request_meta.
> [...] Many frameworks use this header to store the session tokens,
including django-rest-framework when used with the TokenAuthentication
class. The token will leak by the default AdminEmailHandler class, as it
is stored in this header.
Considering that sensitive data filtering is implemented as a "best effort
solution" and that is documented accordingly (see
[https://docs.djangoproject.com/en/dev/howto/error-reporting/#filtering-
error-reports docs]), this ticket aims to harden
`SafeExceptionReporterFilter`.
--
Ticket URL: <https://code.djangoproject.com/ticket/35646>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070191091f1656-60860e86-7b6e-40e1-abc7-29c8030b3348-000000%40eu-central-1.amazonses.com.
