From d6aa904487527d468a6b8bc097028d7af9a668e6 Mon Sep 17 00:00:00 2001 From: Jacob Kaplan-Moss Date: Tue, 15 Nov 2005 14:35:24 +0000 Subject: [PATCH] Fixed #799: any setting with "SECRET" or "PASSWORD" in the name is escaped in the debug view output (this can be expanded if there are other "naughty words" we want to strip out in the future. Thanks, Ian git-svn-id: http://code.djangoproject.com/svn/django/trunk@1242 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/views/debug.py | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/django/views/debug.py b/django/views/debug.py index d5323c0b595..4eb95c91d91 100644 --- a/django/views/debug.py +++ b/django/views/debug.py @@ -1,3 +1,4 @@ +import re import os import sys import inspect @@ -6,6 +7,8 @@ from os.path import dirname, join as pathjoin from django.core.template import Template, Context from django.utils.httpwrappers import HttpResponseServerError, HttpResponseNotFound +HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD') + def technical_500_response(request, exc_type, exc_value, tb): """ Create a technical server error response. The last three arguments are @@ -30,7 +33,17 @@ def technical_500_response(request, exc_type, exc_value, tb): 'pre_context_lineno' : pre_context_lineno, }) tb = tb.tb_next - + + # Turn the settings module into a dict, filtering out anything that + # matches HIDDEN_SETTINGS along the way. + settings_dict = {} + for k in dir(settings): + if k.isupper(): + if HIDDEN_SETTINGS.search(k): + settings_dict[k] = '********************' + else: + settings_dict[k] = getattr(settings, k) + t = Template(TECHNICAL_500_TEMPLATE) c = Context({ 'exception_type' : exc_type.__name__, @@ -39,7 +52,7 @@ def technical_500_response(request, exc_type, exc_value, tb): 'lastframe' : frames[-1], 'request' : request, 'request_protocol' : os.environ.get("HTTPS") == "on" and "https" or "http", - 'settings' : dict([(k, getattr(settings, k)) for k in dir(settings) if k.isupper()]), + 'settings' : settings_dict, }) return HttpResponseServerError(t.render(c))