Loading docs/howto/error-reporting.txt +5 −1 Original line number Diff line number Diff line Loading @@ -117,6 +117,8 @@ Filtering error reports Filtering sensitive information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. currentmodule:: django.views.decorators.debug Error reports are really helpful for debugging errors, so it is generally useful to record as much relevant information about those errors as possible. For example, by default Django records the `full traceback`_ for the Loading Loading @@ -240,11 +242,13 @@ attribute:: request.exception_reporter_filter = CustomExceptionReporterFilter() ... .. currentmodule:: django.views.debug Your custom filter class needs to inherit from :class:`django.views.debug.SafeExceptionReporterFilter` and may override the following methods: .. class:: django.views.debug.SafeExceptionReporterFilter .. class:: SafeExceptionReporterFilter .. method:: SafeExceptionReporterFilter.is_active(self, request) Loading docs/releases/1.4-alpha-1.txt +4 −3 Original line number Diff line number Diff line Loading @@ -337,9 +337,10 @@ docs </ref/contrib/csrf>` for more information. Error report filtering ~~~~~~~~~~~~~~~~~~~~~~ Two new function decorators, :func:`sensitive_variables` and :func:`sensitive_post_parameters`, were added to allow designating the local variables and POST parameters which may contain sensitive We added two function decorators, :func:`~django.views.decorators.debug.sensitive_variables` and :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow designating the local variables and POST parameters that may contain sensitive information and should be filtered out of error reports. All POST parameters are now systematically filtered out of error reports for Loading docs/releases/1.4-beta-1.txt +4 −3 Original line number Diff line number Diff line Loading @@ -375,9 +375,10 @@ docs </ref/contrib/csrf>` for more information. Error report filtering ~~~~~~~~~~~~~~~~~~~~~~ Two new function decorators, :func:`sensitive_variables` and :func:`sensitive_post_parameters`, were added to allow designating the local variables and POST parameters which may contain sensitive We added two function decorators, :func:`~django.views.decorators.debug.sensitive_variables` and :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow designating the local variables and POST parameters that may contain sensitive information and should be filtered out of error reports. All POST parameters are now systematically filtered out of error reports for Loading docs/releases/1.4.8.txt 0 → 100644 +32 −0 Original line number Diff line number Diff line ========================== Django 1.4.8 release notes ========================== *September 14, 2013* Django 1.4.8 fixes two security issues present in previous Django releases in the 1.4 series. Denial-of-service via password hashers -------------------------------------- In previous versions of Django, no limit was imposed on the plaintext length of a password. This allowed a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash. As of 1.4.8, Django's authentication framework imposes a 4096-byte limit on passwords and will fail authentication with any submitted password of greater length. Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin ------------------------------------------------------------------------------------------------------------------------- The decoration of the ``add_view`` and ``user_change_password`` user admin views with :func:`~django.views.decorators.debug.sensitive_post_parameters` did not include :func:`~django.utils.decorators.method_decorator` (required since the views are methods) resulting in the decorator not being properly applied. This usage has been fixed and :func:`~django.views.decorators.debug.sensitive_post_parameters` will now throw an exception if it's improperly used. docs/releases/1.4.txt +5 −4 Original line number Diff line number Diff line Loading @@ -507,10 +507,11 @@ docs </ref/contrib/csrf>` for more information. Error report filtering ~~~~~~~~~~~~~~~~~~~~~~ We added two function decorators, :func:`sensitive_variables` and :func:`sensitive_post_parameters`, to allow designating the local variables and POST parameters that may contain sensitive information and should be filtered out of error reports. We added two function decorators, :func:`~django.views.decorators.debug.sensitive_variables` and :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow designating the local variables and POST parameters that may contain sensitive information and should be filtered out of error reports. All POST parameters are now systematically filtered out of error reports for certain views (``login``, ``password_reset_confirm``, ``password_change`` and Loading Loading
docs/howto/error-reporting.txt +5 −1 Original line number Diff line number Diff line Loading @@ -117,6 +117,8 @@ Filtering error reports Filtering sensitive information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. currentmodule:: django.views.decorators.debug Error reports are really helpful for debugging errors, so it is generally useful to record as much relevant information about those errors as possible. For example, by default Django records the `full traceback`_ for the Loading Loading @@ -240,11 +242,13 @@ attribute:: request.exception_reporter_filter = CustomExceptionReporterFilter() ... .. currentmodule:: django.views.debug Your custom filter class needs to inherit from :class:`django.views.debug.SafeExceptionReporterFilter` and may override the following methods: .. class:: django.views.debug.SafeExceptionReporterFilter .. class:: SafeExceptionReporterFilter .. method:: SafeExceptionReporterFilter.is_active(self, request) Loading
docs/releases/1.4-alpha-1.txt +4 −3 Original line number Diff line number Diff line Loading @@ -337,9 +337,10 @@ docs </ref/contrib/csrf>` for more information. Error report filtering ~~~~~~~~~~~~~~~~~~~~~~ Two new function decorators, :func:`sensitive_variables` and :func:`sensitive_post_parameters`, were added to allow designating the local variables and POST parameters which may contain sensitive We added two function decorators, :func:`~django.views.decorators.debug.sensitive_variables` and :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow designating the local variables and POST parameters that may contain sensitive information and should be filtered out of error reports. All POST parameters are now systematically filtered out of error reports for Loading
docs/releases/1.4-beta-1.txt +4 −3 Original line number Diff line number Diff line Loading @@ -375,9 +375,10 @@ docs </ref/contrib/csrf>` for more information. Error report filtering ~~~~~~~~~~~~~~~~~~~~~~ Two new function decorators, :func:`sensitive_variables` and :func:`sensitive_post_parameters`, were added to allow designating the local variables and POST parameters which may contain sensitive We added two function decorators, :func:`~django.views.decorators.debug.sensitive_variables` and :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow designating the local variables and POST parameters that may contain sensitive information and should be filtered out of error reports. All POST parameters are now systematically filtered out of error reports for Loading
docs/releases/1.4.8.txt 0 → 100644 +32 −0 Original line number Diff line number Diff line ========================== Django 1.4.8 release notes ========================== *September 14, 2013* Django 1.4.8 fixes two security issues present in previous Django releases in the 1.4 series. Denial-of-service via password hashers -------------------------------------- In previous versions of Django, no limit was imposed on the plaintext length of a password. This allowed a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash. As of 1.4.8, Django's authentication framework imposes a 4096-byte limit on passwords and will fail authentication with any submitted password of greater length. Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin ------------------------------------------------------------------------------------------------------------------------- The decoration of the ``add_view`` and ``user_change_password`` user admin views with :func:`~django.views.decorators.debug.sensitive_post_parameters` did not include :func:`~django.utils.decorators.method_decorator` (required since the views are methods) resulting in the decorator not being properly applied. This usage has been fixed and :func:`~django.views.decorators.debug.sensitive_post_parameters` will now throw an exception if it's improperly used.
docs/releases/1.4.txt +5 −4 Original line number Diff line number Diff line Loading @@ -507,10 +507,11 @@ docs </ref/contrib/csrf>` for more information. Error report filtering ~~~~~~~~~~~~~~~~~~~~~~ We added two function decorators, :func:`sensitive_variables` and :func:`sensitive_post_parameters`, to allow designating the local variables and POST parameters that may contain sensitive information and should be filtered out of error reports. We added two function decorators, :func:`~django.views.decorators.debug.sensitive_variables` and :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow designating the local variables and POST parameters that may contain sensitive information and should be filtered out of error reports. All POST parameters are now systematically filtered out of error reports for certain views (``login``, ``password_reset_confirm``, ``password_change`` and Loading
