Le mercredi 22 avril 2015 à 07:05 -0700, Tim Graham a écrit :
> I have some concerns from a security standpoint. For example, some
> exception messages are definitely not meant to be displayed to end
> users and may leak server implementation details. For example:
>
> SuspiciousFileOperation(
> 'The joined path ({}) is located outside of the base path '
> 'component ({})'.format(final_path, base_path)
> )
That makes sense. But as SuspiciousOperation is special-cased in
get_response, we can as well pass None in the exception parameter. It's
not the typical situation where we want the user to receive a specific
message.
> If we proceed with the idea, maybe a separate exception attribute for
> a "user facing message" would be appropriate. Of course, if we pass
> the raw exception to the error handlers, we cannot prevent programmers
> from writing str(exception) (instead of using that custom attribute)
> and writing insecure code. As to whether that concern should block
> this feature, I'm not sure.
If we exclude 400 errors (500 errors are already excluded in my patch),
that leaves 403/404 codes where we should be safe with regard to error
messages. And then, Django will not print anything by default, the user
still has to provide a custom template containing the `expression`
context variable.
Claude