sensitive_post_parameters

[Michael Manfre]

I just discovered that using @method_decorator(sensitive_post_parameters()) doesn't properly cleanse request.POST for all of the traceback frames. Specifically, method_decorator's inner bound_func leaks the request because it is contained in the args2 variable and not named request.

I plan on creating a ticket for this. If this usage is deemed valid, then it's a pretty serious issue for any site dealing with credit cards and it's probably a release blocker. If this usage is not valid, then the ticket will be to update the documentation so that others know not to do that.

Regards,

Michael Manfre

[Tim Graham]

Posting some of the discussion from IRC:

I've done some recent work with sensitive_post_parameters:

https://github.com/django/django/commit/2daada800f8e28cc1ba664b3008efaefab8fb570

The general lesson I learned was blacklisting isn't a very comprehensive approach and there are definitely ways you can inadvertently leak data. The docs should probably warn against insecure error collection (like email), even if using the sensitive decorators.

Patches to improve things would be welcome. I'm hesitant to treat it as a security issue/release blocker, but we can probably backport it to 1.6 at least.