Re: [Django] #33090: Extend sensitive post parameter filtering to be applicable to exceptions in middleware.

[Django]

#33090: Extend sensitive post parameter filtering to be applicable to 
exceptions in
middleware.
-------------------------------------+-------------------------------------
     Reporter:  Carlton Gibson       |                    Owner:
                                     |  Oluwayemisi Ismail
         Type:  New feature          |                   Status:  assigned
    Component:  Error reporting      |                  Version:  dev
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by SnejPro):

 Replying to [comment:12 Simon Kohlmeyer]:
 > My current workaround, because I ran into this and cannot face my users
 without fixing it today:
 >
 > in settings.py:
 >
 >
 > {{{
 > MIDDLEWARE = [
 >     ...,
 >     "my.package.middleware.ensurePasswordIsntInErrorMailMiddleware",
 >     "django.middleware.csrf.CsrfViewMiddleware",
 >     ...
 > ]
 > }}}
 >
 > in my/package/middleware.py:
 >
 > {{{
 > def ensurePasswordIsntInErrorMailMiddleware(get_response):
 >     def middleware(request):
 >         request.sensitive_post_parameters = ["password"]
 >         return get_response(request)
 >     return middleware
 > }}}
 >
 > Basically setting it as a default, in case we don't get to the next
 point where it would be set.
 >
 > The django code always runs:
 >
 > {{{
 > request.sensitive_post_parameters = parameters
 > }}}
 >
 > So the setting from this middleware will be overridden the next time the
 decorator is hit.

 Thank you!! I had the same concerns when i received a csrf error report
 with cleartext passwords of my users.
 I think this shoud be implemented per default.

 I've noticed that 5.2.6 adresses a similar issue:
 
https://github.com/django/django/commit/037e740ec56674e69e564b97e1151950757c410d
 But updating to 5.2.6 does not solve this issue.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/33090#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019911292f76-ece24d7c-ef3e-42b6-9c19-5285edbd978e-000000%40eu-central-1.amazonses.com.