Re: [Django] #31604: Should SafeExceptionReporterFilter cleanse setting keys whose name matches "URL" in part, too?
16 views
Skip to first unread message
Django
May 19, 2020, 3:00:04 AM5/19/20
to django-...@googlegroups.com
#31604: Should SafeExceptionReporterFilter cleanse setting keys whose name matches
"URL" in part, too?
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: Uncategorized | Status: closed
Component: Error reporting | Version: master
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Changes (by Carlton Gibson):
"URL" in part, too?
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: Uncategorized | Status: closed
Component: Error reporting | Version: master
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Changes (by Carlton Gibson):
* status: new => closed
* resolution: => wontfix
Comment:
Hi. Thanks for the report.
I think the idea is precisely that after #23004 you customise this for
your own project. The underlying issue is that there are any number of
possible customisations that would be appropriate for some given project,
and it's simply not feasible to keep adding them all.
In this particular case, the additional benefit to parsing sensitive URLs
(vs simply filtering them entirely in a subclass) doesn't seem worth the
complexity. (Given that URLs end up in log files, which is out-of-scope
for Django, we see complaints if sensitive values get used in URLs at all,
so I'm half-inclined towards thinking the issue here lies elsewhere.)
I hope that makes sense.
--
Ticket URL: <https://code.djangoproject.com/ticket/31604#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Nov 9, 2024, 12:21:23 PM11/9/24
to django-...@googlegroups.com
#31604: Should SafeExceptionReporterFilter cleanse setting keys whose name matches
"URL" in part, too?
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: Uncategorized | Status: new
"URL" in part, too?
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Component: Error reporting | Version: dev
Severity: Normal | Resolution:
Keywords: security debug | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Changes (by Sebastian Pipping):
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
* cc: Sebastian Pipping (added)
* has_patch: 0 => 1
* keywords: => security debug
* resolution: wontfix =>
* status: closed => new
Comment:
Re-opening because it took part in allowing potential arbitrary remote
code execution as explained at
https://github.com/climateconnect/climateconnect/pull/1331#issuecomment-2397881433
in practice … Pull request upcoming…
--
Ticket URL: <https://code.djangoproject.com/ticket/31604#comment:2>
Django
Nov 9, 2024, 12:28:47 PM11/9/24
to django-...@googlegroups.com
#31604: Should SafeExceptionReporterFilter cleanse setting keys whose name matches
"URL" in part, too?
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: Uncategorized | Status: new
Component: Error reporting | Version: dev
Severity: Normal | Resolution:
Keywords: security debug | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Comment (by Sebastian Pipping):
"URL" in part, too?
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: Uncategorized | Status: new
Component: Error reporting | Version: dev
Severity: Normal | Resolution:
Keywords: security debug | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Pull request: https://github.com/django/django/pull/18789
--
Ticket URL: <https://code.djangoproject.com/ticket/31604#comment:3>
Django
Nov 11, 2024, 3:02:45 AM11/11/24
to django-...@googlegroups.com
#31604: Should SafeExceptionReporterFilter cleanse setting keys whose name matches
"URL" in part, too?
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Type: Uncategorized | Status: closed
"URL" in part, too?
-----------------------------------+--------------------------------------
Reporter: Sebastian Pipping | Owner: (none)
Component: Error reporting | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: security debug | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Changes (by Mariusz Felisiak):
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
* resolution: => wontfix
* status: new => closed
Comment:
Please don't reopen "wontfix" tickets.
TicketClosingReasons/DontReopenTickets
--
Ticket URL: <https://code.djangoproject.com/ticket/31604#comment:4>
Reply all
Reply to author
Forward
0 new messages