[Django] #32465: Passwords in env variables should be hidden on debug page like other settings are.

13 views
Skip to first unread message

Django

unread,
Feb 19, 2021, 3:13:38 PM2/19/21
to django-...@googlegroups.com
#32465: Passwords in env variables should be hidden on debug page like other
settings are.
-------------------------------------+-------------------------------------
Reporter: galt | Owner: nobody
Type: Bug | Status: new
Component: | Version: 3.1
Uncategorized |
Severity: Normal | Keywords: env passwords debug
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hundreds of blog pages tell people to put their settings for database and
other passwords and keys
into env variables for easier management, and then settings.py reads
those. This is often described as a good way to avoid accidentally
checking sensitive settings.py into source code control like git. But then
the env variables are exposed in the django debug output with debug=true.
Since django already hides 'API|TOKEN|KEY|SECRET|PASS|SIGNATURE' for
django settings, it should hide env variables too in the same way.

Currently this problem is not easy to work around.

Having debug=false for production helps protect production servers. But
some users use the same db user/password for both development and
production systems. So leaking one leaks the other.

On rare occasions, people need to temporarily enable debug on production
to solve some quick issue. So fixing the bug would make this safer.

--
Ticket URL: <https://code.djangoproject.com/ticket/32465>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Feb 20, 2021, 8:30:56 PM2/20/21
to django-...@googlegroups.com
#32465: Passwords in env variables should be hidden on debug page like other
settings are.
-------------------------------------+-------------------------------------
Reporter: galt | Owner: nobody
Type: Bug | Status: closed
Component: Error reporting | Version: 3.1
Severity: Normal | Resolution: duplicate

Keywords: env passwords debug | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

* status: new => closed
* resolution: => duplicate
* component: Uncategorized => Error reporting


Comment:

I'm guessing you aren't using Django 3.1 which has #23004, but if you are
please elaborate on where you see this.

--
Ticket URL: <https://code.djangoproject.com/ticket/32465#comment:1>

Reply all
Reply to author
Forward
0 new messages