Fixed #26209 -- Masked sensitive settings in debug reports regardless of case.

django/views/debug.py

@@ -19,7 +19,7 @@ from django.utils.translation import ugettext as _
 # regardless of the project's TEMPLATES setting.
 DEBUG_ENGINE = Engine(debug=True)
 
-HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|SIGNATURE')
+HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|SIGNATURE', flags=re.IGNORECASE)
 
 CLEANSED_SUBSTITUTE = '********************'
 

tests/view_tests/tests/test_debug.py

@@ -22,7 +22,8 @@ from django.utils import six
 from django.utils.encoding import force_bytes, force_text
 from django.utils.functional import SimpleLazyObject
 from django.views.debug import (
-    CallableSettingWrapper, ExceptionReporter, technical_500_response,
+    CLEANSED_SUBSTITUTE, CallableSettingWrapper, ExceptionReporter,
+    cleanse_setting, technical_500_response,
 )
 
 from .. import BrokenException, except_args
@@ -944,3 +945,18 @@ class AjaxResponseExceptionReporterFilter(ExceptionReportTestMixin, LoggingCaptu
         with self.settings(DEBUG=False):
             self.verify_unsafe_response(custom_exception_reporter_filter_view,
                 check_for_vars=False)
+
+
+class HelperFunctionTests(SimpleTestCase):
+
+    def test_cleanse_setting_basic(self):
+        self.assertEqual(cleanse_setting('TEST', 'TEST'), 'TEST')
+        self.assertEqual(cleanse_setting('PASSWORD', 'super_secret'), CLEANSED_SUBSTITUTE)
+
+    def test_cleanse_setting_ignore_case(self):
+        self.assertEqual(cleanse_setting('password', 'super_secret'), CLEANSED_SUBSTITUTE)
+
+    def test_cleanse_setting_recurses_in_dictionary(self):
+        initial = {'login': 'cooper', 'password': 'secret'}
+        expected = {'login': 'cooper', 'password': CLEANSED_SUBSTITUTE}
+        self.assertEqual(cleanse_setting('SETTING_NAME', initial), expected)