mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Fixed #17460 -- Extended the HIDDEN_SETTINGS constant in with a few more sensible names of settings to hide in the debug view. Many thanks to chomik, lpiatek and tomaszrybak.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17481 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
		| @@ -14,7 +14,7 @@ from django.utils.html import escape | |||||||
| from django.utils.importlib import import_module | from django.utils.importlib import import_module | ||||||
| from django.utils.encoding import smart_unicode, smart_str | from django.utils.encoding import smart_unicode, smart_str | ||||||
|  |  | ||||||
| HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE') | HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|PROFANITIES_LIST|SIGNATURE') | ||||||
|  |  | ||||||
| CLEANSED_SUBSTITUTE = u'********************' | CLEANSED_SUBSTITUTE = u'********************' | ||||||
|  |  | ||||||
|   | |||||||
| @@ -756,15 +756,24 @@ Default: ``False`` | |||||||
|  |  | ||||||
| A boolean that turns on/off debug mode. | A boolean that turns on/off debug mode. | ||||||
|  |  | ||||||
| If you define custom settings, `django/views/debug.py`_ has a ``HIDDEN_SETTINGS`` | If you define custom settings, `django/views/debug.py`_ has a | ||||||
| regular expression which will hide from the DEBUG view anything that contains | ``HIDDEN_SETTINGS`` regular expression which will hide from the DEBUG view | ||||||
| ``'SECRET'``, ``'PASSWORD'``, ``'PROFANITIES'``, or ``'SIGNATURE'``. This allows | anything that contains ``'API'``, ``'TOKEN'``, ``'KEY'``, ``'SECRET'``, | ||||||
| untrusted users to be able to give backtraces without seeing sensitive (or | ``'PASS'``, ``'PROFANITIES_LIST'``, or ``'SIGNATURE'``. This allows untrusted | ||||||
| offensive) settings. | users to be able to give backtraces without seeing sensitive (or offensive) | ||||||
|  | settings. | ||||||
|  |  | ||||||
| Still, note that there are always going to be sections of your debug output that | .. versionchanged:: 1.4 | ||||||
| are inappropriate for public consumption. File paths, configuration options, and |  | ||||||
| the like all give attackers extra information about your server. |     ``'PASSWORD'`` changed to ``'PASS'``. ``'API'``, ``'TOKEN'``, ``'KEY'``  | ||||||
|  |     were added. | ||||||
|  |  | ||||||
|  | Note that due to how regular expression matching works ``'PASS'`` will also | ||||||
|  | match PASSWORD, just as ``'TOKEN'`` will also match TOKENIZED and so on. | ||||||
|  |  | ||||||
|  | Still, note that there are always going to be sections of your debug output | ||||||
|  | that are inappropriate for public consumption. File paths, configuration | ||||||
|  | options, and the like all give attackers extra information about your server. | ||||||
|  |  | ||||||
| It is also important to remember that when running with :setting:`DEBUG` | It is also important to remember that when running with :setting:`DEBUG` | ||||||
| turned on, Django will remember every SQL query it executes. This is useful | turned on, Django will remember every SQL query it executes. This is useful | ||||||
|   | |||||||
							
								
								
									
										1134
									
								
								docs/releases/1.4-beta-1.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1134
									
								
								docs/releases/1.4-beta-1.txt
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @@ -81,6 +81,7 @@ notes. | |||||||
| .. toctree:: | .. toctree:: | ||||||
|    :maxdepth: 1 |    :maxdepth: 1 | ||||||
|  |  | ||||||
|  |    1.4-beta-1 | ||||||
|    1.4-alpha-1 |    1.4-alpha-1 | ||||||
|    1.3-beta-1 |    1.3-beta-1 | ||||||
|    1.3-alpha-1 |    1.3-alpha-1 | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user