[Django] #33606: Session ID should be cleansed from error reporting

[Django]

#33606: Session ID should be cleansed from error reporting
-------------------------------------------+------------------------
Reporter: Tobias Bengfort | Owner: (none)
Type: Bug | Status: new
Component: Error reporting | Version: 4.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
the session ID should be cleansed when reporting errors, just like other
credentials. A patch is available at
https://github.com/django/django/pull/15352.

See also #29714 and https://groups.google.com/g/django-
developers/c/H5hJxpwYFcw.

A quick github search yielded multiple occasions where session IDs ended
up in public bug reports:

https://github.com/GibbsConsulting/django-plotly-dash/issues/376
https://github.com/ome/omero-mapr/issues/42
https://github.com/jhelbert/great_teaching_network/issues/220
https://github.com/dzone/osqa/issues/355

I am sure you could find many more. This could potentially be exploited
by automatically searching for such requests and hijacking the associated
accounts.

--
Ticket URL: <https://code.djangoproject.com/ticket/33606>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#33606: Session ID should be cleansed from error reporting

--------------------------------------+------------------------------------

Reporter: Tobias Bengfort | Owner: (none)

Type: Cleanup/optimization | Status: new

Component: Error reporting | Version: 4.0

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

--------------------------------------+------------------------------------
Changes (by Simon Charette):

* type: Bug => Cleanup/optimization
* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/33606#comment:1>

[Django]

#33606: Session ID should be cleansed from error reporting

-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Tobias
Type: | Bengfort
Cleanup/optimization | Status: assigned

Component: Error reporting | Version: 4.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* owner: (none) => Tobias Bengfort
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/33606#comment:2>

[Django]

#33606: Session ID should be cleansed from error reporting
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Tobias
Type: | Bengfort
Cleanup/optimization | Status: assigned
Component: Error reporting | Version: 4.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 1

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Carlton Gibson):

* needs_docs: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/33606#comment:3>

[Django]

#33606: Session ID should be cleansed from error reporting
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Tobias
Type: | Bengfort
Cleanup/optimization | Status: assigned
Component: Error reporting | Version: 4.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Tobias Bengfort):

* needs_docs: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/33606#comment:4>

[Django]

#33606: Session ID should be cleansed from error reporting
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Tobias
Type: | Bengfort
Cleanup/optimization | Status: assigned
Component: Error reporting | Version: 4.0
Severity: Normal | Resolution:

Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Carlton Gibson):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/33606#comment:5>

[Django]

#33606: Session ID should be cleansed from error reporting
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Tobias
Type: | Bengfort

Cleanup/optimization | Status: closed

Component: Error reporting | Version: 4.0

Severity: Normal | Resolution: fixed

Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Carlton Gibson <carlton@…>):

* status: assigned => closed
* resolution: => fixed

Comment:

In [changeset:"350455b666a289d336fca770578887ce51f1aebe" 350455b6]:
{{{
#!CommitTicketReference repository=""
revision="350455b666a289d336fca770578887ce51f1aebe"
Fixed #33606 -- Cleansed sessionid cookie in error reports.

Co-authored-by: Simon Charette <chare...@gmail.com>
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/33606#comment:6>