[Django] #26209: Hide lowercase sensitive information

48 views
Skip to first unread message

Django

unread,
Feb 11, 2016, 7:22:49 AM2/11/16
to django-...@googlegroups.com
#26209: Hide lowercase sensitive information
---------------------------------+--------------------
Reporter: francoisfreitag | Owner: nobody
Type: New feature | Status: new
Component: Utilities | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
---------------------------------+--------------------
Django provides a `cleanse_setting` method[1] that prevents sensitive
information from being displayed (for example with the `diffsettings`
command).

cleanse_settings relies on a case-sensitive regular expression,
HIDDEN_SETTINGS [2].
Making `HIDDEN_SETTINGS` case-insensitive would be useful to prevent
`password` to be shown.

1:
https://github.com/django/django/blob/9332497701f2c69bf0bb6d38ce59a51ca7abe78d/django/views/debug.py#L40-L62
2:
https://github.com/django/django/blob/9332497701f2c69bf0bb6d38ce59a51ca7abe78d/django/views/debug.py#L22

--
Ticket URL: <https://code.djangoproject.com/ticket/26209>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Feb 11, 2016, 7:24:11 AM2/11/16
to django-...@googlegroups.com
#26209: Hide lowercase sensitive setting
-------------------------------------+-------------------------------------
Reporter: francoisfreitag | Owner:
| francoisfreitag
Type: New feature | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by francoisfreitag):

* status: new => assigned
* needs_better_patch: => 0
* needs_tests: => 0
* owner: nobody => francoisfreitag
* needs_docs: => 0


--
Ticket URL: <https://code.djangoproject.com/ticket/26209#comment:1>

Django

unread,
Feb 11, 2016, 7:27:27 AM2/11/16
to django-...@googlegroups.com
#26209: Hide lowercase sensitive setting
-------------------------------------+-------------------------------------
Reporter: francoisfreitag | Owner:
| francoisfreitag
Type: New feature | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by francoisfreitag):

Corresponding PR: https://github.com/django/django/pull/6122

--
Ticket URL: <https://code.djangoproject.com/ticket/26209#comment:2>

Django

unread,
Feb 11, 2016, 8:56:33 AM2/11/16
to django-...@googlegroups.com
#26209: Hide lowercase sensitive setting
-------------------------------------+-------------------------------------
Reporter: francoisfreitag | Owner:
| francoisfreitag
Type: New feature | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by timgraham):

* has_patch: 0 => 1
* needs_tests: 0 => 1
* stage: Unreviewed => Accepted


Comment:

I don't see any downside. On the other hand, the convention is to use
uppercase names for settings so is the only way to encounter this if
you're defining your own lower case settings?

--
Ticket URL: <https://code.djangoproject.com/ticket/26209#comment:3>

Django

unread,
Feb 11, 2016, 9:04:10 AM2/11/16
to django-...@googlegroups.com
#26209: Hide lowercase sensitive setting
-------------------------------------+-------------------------------------
Reporter: francoisfreitag | Owner:
| francoisfreitag
Type: New feature | Status: assigned
Component: Utilities | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by francoisfreitag):

That's correct. Something like this was defined:
{{{#!python
RABBITMQ = {
'host': 'localhost',
'login': 'guest',
'password': 'guest',
}
}}}
I was surprised to see that `DATABASES` password was hidden, but not
`RABBITMQ`.

--
Ticket URL: <https://code.djangoproject.com/ticket/26209#comment:4>

Django

unread,
Feb 11, 2016, 10:13:52 AM2/11/16
to django-...@googlegroups.com
#26209: Hide lowercase sensitive setting
-------------------------------------+-------------------------------------
Reporter: francoisfreitag | Owner:
| francoisfreitag
Type: New feature | Status: assigned
Component: Utilities | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by timgraham):

Okay, please uncheck "Needs tests" on this ticket when you add one to the
pull request. Thanks.

--
Ticket URL: <https://code.djangoproject.com/ticket/26209#comment:5>

Django

unread,
Feb 11, 2016, 4:45:12 PM2/11/16
to django-...@googlegroups.com
#26209: Hide lowercase sensitive setting
-------------------------------------+-------------------------------------
Reporter: francoisfreitag | Owner:
| francoisfreitag
Type: New feature | Status: assigned
Component: Utilities | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by francoisfreitag):

* needs_tests: 1 => 0


--
Ticket URL: <https://code.djangoproject.com/ticket/26209#comment:6>

Django

unread,
Feb 11, 2016, 6:13:39 PM2/11/16
to django-...@googlegroups.com
#26209: Hide lowercase sensitive setting
-------------------------------------+-------------------------------------
Reporter: francoisfreitag | Owner:
| francoisfreitag
Type: New feature | Status: closed
Component: Utilities | Version: master
Severity: Normal | Resolution: fixed

Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"16a88b4429eb237cf3f7df6526c072efb72dbed1" 16a88b44]:
{{{
#!CommitTicketReference repository=""
revision="16a88b4429eb237cf3f7df6526c072efb72dbed1"
Fixed #26209 -- Masked sensitive settings in debug reports regardless of
case.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/26209#comment:7>

Reply all
Reply to author
Forward
0 new messages