Fixed #799: any setting with "SECRET" or "PASSWORD" in the name is escaped in the debug view output (this can be expanded if there are other "naughty words" we want to strip out in the future. Thanks, Ian

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1242 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jacob Kaplan-Moss 2005-11-15 14:35:24 +00:00
parent 705a568854
commit d6aa904487
1 changed files with 15 additions and 2 deletions

View File

@ -1,3 +1,4 @@
import re
import os
import sys
import inspect
@ -6,6 +7,8 @@ from os.path import dirname, join as pathjoin
from django.core.template import Template, Context
from django.utils.httpwrappers import HttpResponseServerError, HttpResponseNotFound
HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD')
def technical_500_response(request, exc_type, exc_value, tb):
"""
Create a technical server error response. The last three arguments are
@ -30,7 +33,17 @@ def technical_500_response(request, exc_type, exc_value, tb):
'pre_context_lineno' : pre_context_lineno,
})
tb = tb.tb_next
# Turn the settings module into a dict, filtering out anything that
# matches HIDDEN_SETTINGS along the way.
settings_dict = {}
for k in dir(settings):
if k.isupper():
if HIDDEN_SETTINGS.search(k):
settings_dict[k] = '********************'
else:
settings_dict[k] = getattr(settings, k)
t = Template(TECHNICAL_500_TEMPLATE)
c = Context({
'exception_type' : exc_type.__name__,
@ -39,7 +52,7 @@ def technical_500_response(request, exc_type, exc_value, tb):
'lastframe' : frames[-1],
'request' : request,
'request_protocol' : os.environ.get("HTTPS") == "on" and "https" or "http",
'settings' : dict([(k, getattr(settings, k)) for k in dir(settings) if k.isupper()]),
'settings' : settings_dict,
})
return HttpResponseServerError(t.render(c))