Fixed #17460 -- Extended the HIDDEN_SETTINGS constant in with a few more sensible names of settings to hide in the debug view. Many thanks to chomik, lpiatek and tomaszrybak.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17481 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-09 18:58:45 +00:00 · 2012-02-09 18:58:45 +00:00 · ec5e2f0ccc
parent f0a1633425
commit ec5e2f0ccc
4 changed files with 1153 additions and 9 deletions
--- a/django/views/debug.py
+++ b/django/views/debug.py
@ -14,7 +14,7 @@ from django.utils.html import escape
 from django.utils.importlib import import_module
 from django.utils.encoding import smart_unicode, smart_str

-HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE')
+HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|PROFANITIES_LIST|SIGNATURE')

 CLEANSED_SUBSTITUTE = u'********************'

--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@ -756,15 +756,24 @@ Default: ``False``

 A boolean that turns on/off debug mode.

-If you define custom settings, `django/views/debug.py`_ has a ``HIDDEN_SETTINGS``
-regular expression which will hide from the DEBUG view anything that contains
-``'SECRET'``, ``'PASSWORD'``, ``'PROFANITIES'``, or ``'SIGNATURE'``. This allows
-untrusted users to be able to give backtraces without seeing sensitive (or
-offensive) settings.
+If you define custom settings, `django/views/debug.py`_ has a
+``HIDDEN_SETTINGS`` regular expression which will hide from the DEBUG view
+anything that contains ``'API'``, ``'TOKEN'``, ``'KEY'``, ``'SECRET'``,
+``'PASS'``, ``'PROFANITIES_LIST'``, or ``'SIGNATURE'``. This allows untrusted
+users to be able to give backtraces without seeing sensitive (or offensive)
+settings.

-Still, note that there are always going to be sections of your debug output that
-are inappropriate for public consumption. File paths, configuration options, and
-the like all give attackers extra information about your server.
+.. versionchanged:: 1.4
+
+    ``'PASSWORD'`` changed to ``'PASS'``. ``'API'``, ``'TOKEN'``, ``'KEY'`` 
+    were added.
+
+Note that due to how regular expression matching works ``'PASS'`` will also
+match PASSWORD, just as ``'TOKEN'`` will also match TOKENIZED and so on.
+
+Still, note that there are always going to be sections of your debug output
+that are inappropriate for public consumption. File paths, configuration
+options, and the like all give attackers extra information about your server.

 It is also important to remember that when running with :setting:`DEBUG`
 turned on, Django will remember every SQL query it executes. This is useful
--- a/docs/releases/1.4-beta-1.txt
+++ b/docs/releases/1.4-beta-1.txt
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@ -81,6 +81,7 @@ notes.
 .. toctree::
   :maxdepth: 1

+   1.4-beta-1
   1.4-alpha-1
   1.3-beta-1
   1.3-alpha-1