#35930: Database password visible on debug page in local variable
-------------------------------------+-------------------------------------
Reporter: bytej4ck | Owner: (none)
Type: Bug | Status: new
Component: Error reporting | Version:
Severity: Normal | Resolution:
Keywords: db, password, | Triage Stage:
exposed | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
* summary: Database password visible on debug page => Database password
visible on debug page in local variable
Comment:
Thanks, that was enough for me to reproduce the issue. I can see how this
violates least surprise if these are substantially the same settings
already masked elsewhere in the debug view.
The initial wontfix (comment:5:ticket:21098) in a related ticket for
masking sensitive POST parameters argued masking wouldn't be worthwhile
(leaks developer's own secrets to developer, DEBUG page is documented as
always potentially leaking information), but I can see how not masking
database connection parameters violates least surprise given that these
are substantially the same settings already masked elsewhere in the debug
view. ticket:21098 was eventually fixed once there was a simpler
implementation.
Here is a potential tiny patch that I just confirmed fixes the issue,
although it would be using `@sensitive_variables()` outside the context of
a view, which I took to be the use case it was designed for:
{{{#!diff
diff --git a/django/db/backends/base/base.py
b/django/db/backends/base/base.py
index e6e0325d07..b950c20350 100644
--- a/django/db/backends/base/base.py
+++ b/django/db/backends/base/base.py
@@ -20,6 +20,7 @@ from django.db.transaction import
TransactionManagementError
from django.db.utils import DatabaseErrorWrapper, ProgrammingError
from django.utils.asyncio import async_unsafe
from django.utils.functional import cached_property
+from django.views.decorators.debug import sensitive_variables
NO_DB_ALIAS = "__no_db__"
RAN_DB_VERSION_CHECK = set()
@@ -235,6 +236,7 @@ class BaseDatabaseWrapper:
# ##### Backend-specific methods for creating connections #####
@async_unsafe
+ @sensitive_variables("conn_params")
def connect(self):
"""Connect to the database. Assume that the connection is
closed."""
# Check for invalid configurations.
diff --git a/django/views/debug.py b/django/views/debug.py
index 10b4d22030..67e3f3d8b0 100644
--- a/django/views/debug.py
+++ b/django/views/debug.py
@@ -234,6 +234,8 @@ class SafeExceptionReporterFilter:
if is_multivalue_dict:
# Cleanse MultiValueDicts (request.POST is the one we usually
care about)
value = self.get_cleansed_multivaluedict(request, value)
+ else:
+ value = self.cleanse_setting("", value)
return value
def get_traceback_frame_variables(self, request, tb_frame):
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35930#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070193599d7c37-ca46caf6-0de2-4c50-9ee7-f5607031ab20-000000%40eu-central-1.amazonses.com.
