[Django] #35646: SafeExceptionReporterFilter should filter settings and headers such as HTTP_AUTHORIZATION
52 views
Skip to first unread message
Django
Jul 31, 2024, 10:08:43 AM7/31/24
to django-...@googlegroups.com
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia | Owner: Natalia Bidart
Bidart |
Type: | Status: assigned
Cleanup/optimization |
Component: Error | Version: dev
reporting |
Severity: Normal | Keywords:
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Following a report from Carlos Pastor:
> `HTTP_AUTHORIZATION` is not filtered out by
django.views.debug.SafeExceptionReporterFilter.get_safe_request_meta.
> [...] Many frameworks use this header to store the session tokens,
including django-rest-framework when used with the TokenAuthentication
class. The token will leak by the default AdminEmailHandler class, as it
is stored in this header.
Considering that sensitive data filtering is implemented as a "best effort
solution" and that is documented accordingly (see
[https://docs.djangoproject.com/en/dev/howto/error-reporting/#filtering-
error-reports docs]), this ticket aims to harden
`SafeExceptionReporterFilter`.
--
Ticket URL: <https://code.djangoproject.com/ticket/35646>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia | Owner: Natalia Bidart
Bidart |
Type: | Status: assigned
Cleanup/optimization |
Component: Error | Version: dev
reporting |
Severity: Normal | Keywords:
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Following a report from Carlos Pastor:
> `HTTP_AUTHORIZATION` is not filtered out by
django.views.debug.SafeExceptionReporterFilter.get_safe_request_meta.
> [...] Many frameworks use this header to store the session tokens,
including django-rest-framework when used with the TokenAuthentication
class. The token will leak by the default AdminEmailHandler class, as it
is stored in this header.
Considering that sensitive data filtering is implemented as a "best effort
solution" and that is documented accordingly (see
[https://docs.djangoproject.com/en/dev/howto/error-reporting/#filtering-
error-reports docs]), this ticket aims to harden
`SafeExceptionReporterFilter`.
--
Ticket URL: <https://code.djangoproject.com/ticket/35646>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jul 31, 2024, 10:48:22 AM7/31/24
to django-...@googlegroups.com
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Natalia
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Type: | Bidart
Cleanup/optimization | Status: assigned
Component: Error reporting | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/35646#comment:1>
Django
Jul 31, 2024, 12:00:45 PM7/31/24
to django-...@googlegroups.com
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Natalia
Type: | Bidart
Cleanup/optimization | Status: assigned
Component: Error reporting | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Natalia
Type: | Bidart
Cleanup/optimization | Status: assigned
Component: Error reporting | Version: dev
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/35646#comment:2>
Django
Aug 1, 2024, 2:02:10 PM8/1/24
to django-...@googlegroups.com
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Natalia
Type: | Bidart
Cleanup/optimization | Status: closed
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Natalia
Type: | Bidart
Component: Error reporting | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by nessita <124304+nessita@…>):
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"aa9079505082d92d4ee5dc6a4adca056422422ed" aa907950]:
{{{#!CommitTicketReference repository=""
revision="aa9079505082d92d4ee5dc6a4adca056422422ed"
Fixed #35646 -- Extended SafeExceptionReporterFilter.hidden_settings to
treat `AUTH` as a sensitive match.
Co-authored-by: Natalia <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35646#comment:3>
Django
Aug 6, 2024, 8:11:24 AM8/6/24
to django-...@googlegroups.com
#35646: SafeExceptionReporterFilter should filter settings and headers such as
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Natalia
Type: | Bidart
Cleanup/optimization | Status: closed
Component: Error reporting | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
HTTP_AUTHORIZATION
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Natalia
Type: | Bidart
Cleanup/optimization | Status: closed
Component: Error reporting | Version: dev
Severity: Normal | Resolution: fixed
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/35646#comment:4>
Reply all
Reply to author
Forward
0 new messages