Commit ec5e2f0c authored by Jannis Leidel's avatar Jannis Leidel
Browse files

Fixed #17460 -- Extended the HIDDEN_SETTINGS constant in with a few more... 

Fixed #17460 -- Extended the HIDDEN_SETTINGS constant in  with a few more sensible names of settings to hide in the debug view. Many thanks to chomik, lpiatek and tomaszrybak.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17481 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent f0a16334

django/views/debug.py

+1 −1
Original line number Diff line number Diff line
@@ -14,7 +14,7 @@ from django.utils.html import escape 
from django.utils.importlib import import_module

from django.utils.encoding import smart_unicode, smart_str



HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE')

HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|PROFANITIES_LIST|SIGNATURE')



CLEANSED_SUBSTITUTE = u'********************'

docs/ref/settings.txt

+18 −9
Original line number Diff line number Diff line
@@ -756,15 +756,24 @@ Default: ``False`` 


A boolean that turns on/off debug mode.



If you define custom settings, `django/views/debug.py`_ has a ``HIDDEN_SETTINGS``

regular expression which will hide from the DEBUG view anything that contains

``'SECRET'``, ``'PASSWORD'``, ``'PROFANITIES'``, or ``'SIGNATURE'``. This allows

untrusted users to be able to give backtraces without seeing sensitive (or

offensive) settings.



Still, note that there are always going to be sections of your debug output that

are inappropriate for public consumption. File paths, configuration options, and

the like all give attackers extra information about your server.

If you define custom settings, `django/views/debug.py`_ has a

``HIDDEN_SETTINGS`` regular expression which will hide from the DEBUG view

anything that contains ``'API'``, ``'TOKEN'``, ``'KEY'``, ``'SECRET'``,

``'PASS'``, ``'PROFANITIES_LIST'``, or ``'SIGNATURE'``. This allows untrusted

users to be able to give backtraces without seeing sensitive (or offensive)

settings.



.. versionchanged:: 1.4



    ``'PASSWORD'`` changed to ``'PASS'``. ``'API'``, ``'TOKEN'``, ``'KEY'`` 

    were added.



Note that due to how regular expression matching works ``'PASS'`` will also

match PASSWORD, just as ``'TOKEN'`` will also match TOKENIZED and so on.



Still, note that there are always going to be sections of your debug output

that are inappropriate for public consumption. File paths, configuration

options, and the like all give attackers extra information about your server.



It is also important to remember that when running with :setting:`DEBUG`

turned on, Django will remember every SQL query it executes. This is useful

docs/releases/1.4-beta-1.txt

0 → 100644
+1134 −0

File added.

Preview size limit exceeded, changes collapsed.

docs/releases/index.txt

+1 −0
Original line number Diff line number Diff line
@@ -81,6 +81,7 @@ notes. 
.. toctree::

   :maxdepth: 1



   1.4-beta-1

   1.4-alpha-1

   1.3-beta-1

   1.3-alpha-1