Fixed #17460 -- Extended the HIDDEN_SETTINGS constant in with a few more sensible names of settings to hide in the debug view. Many thanks to chomik, lpiatek and tomaszrybak.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17481 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jannis Leidel
parent
f0a1633425
commit
ec5e2f0ccc
|
|
@ -14,7 +14,7 @@ from django.utils.html import escape
|
||||||
from django.utils.importlib import import_module
|
from django.utils.importlib import import_module
|
||||||
from django.utils.encoding import smart_unicode, smart_str
|
from django.utils.encoding import smart_unicode, smart_str
|
||||||
|
|
||||||
HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE')
|
HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|PROFANITIES_LIST|SIGNATURE')
|
||||||
|
|
||||||
CLEANSED_SUBSTITUTE = u'********************'
|
CLEANSED_SUBSTITUTE = u'********************'
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -756,15 +756,24 @@ Default: ``False``
|
||||||
|
|
||||||
A boolean that turns on/off debug mode.
|
A boolean that turns on/off debug mode.
|
||||||
|
|
||||||
If you define custom settings, `django/views/debug.py`_ has a ``HIDDEN_SETTINGS``
|
If you define custom settings, `django/views/debug.py`_ has a
|
||||||
regular expression which will hide from the DEBUG view anything that contains
|
``HIDDEN_SETTINGS`` regular expression which will hide from the DEBUG view
|
||||||
``'SECRET'``, ``'PASSWORD'``, ``'PROFANITIES'``, or ``'SIGNATURE'``. This allows
|
anything that contains ``'API'``, ``'TOKEN'``, ``'KEY'``, ``'SECRET'``,
|
||||||
untrusted users to be able to give backtraces without seeing sensitive (or
|
``'PASS'``, ``'PROFANITIES_LIST'``, or ``'SIGNATURE'``. This allows untrusted
|
||||||
offensive) settings.
|
users to be able to give backtraces without seeing sensitive (or offensive)
|
||||||
|
settings.
|
||||||
|
|
||||||
Still, note that there are always going to be sections of your debug output that
|
.. versionchanged:: 1.4
|
||||||
are inappropriate for public consumption. File paths, configuration options, and
|
|
||||||
the like all give attackers extra information about your server.
|
``'PASSWORD'`` changed to ``'PASS'``. ``'API'``, ``'TOKEN'``, ``'KEY'``
|
||||||
|
were added.
|
||||||
|
|
||||||
|
Note that due to how regular expression matching works ``'PASS'`` will also
|
||||||
|
match PASSWORD, just as ``'TOKEN'`` will also match TOKENIZED and so on.
|
||||||
|
|
||||||
|
Still, note that there are always going to be sections of your debug output
|
||||||
|
that are inappropriate for public consumption. File paths, configuration
|
||||||
|
options, and the like all give attackers extra information about your server.
|
||||||
|
|
||||||
It is also important to remember that when running with :setting:`DEBUG`
|
It is also important to remember that when running with :setting:`DEBUG`
|
||||||
turned on, Django will remember every SQL query it executes. This is useful
|
turned on, Django will remember every SQL query it executes. This is useful
|
||||||
|
|
|
||||||
File diff suppressed because it is too large
Load Diff
|
|
@ -81,6 +81,7 @@ notes.
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
|
1.4-beta-1
|
||||||
1.4-alpha-1
|
1.4-alpha-1
|
||||||
1.3-beta-1
|
1.3-beta-1
|
||||||
1.3-alpha-1
|
1.3-alpha-1
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue