Security issue: settings.py stores password+username in plain-text

[AlecTaylor]

Good evening,

I've just begun learning DJango when I noticed settings.py stores password+username in plain-text.

Please fix this (i.e. by implementing something with PyOpenSSL or I can write a frontend in C++)

Thanks,

Alec Taylor

[Aymeric Augustin]

settings.py is a regular python file, you can implement the password loading mechanism that best suits your needs. However, I think it's unrealistic to try to develop a one-size-fits-all password storage mechanism. There are too many uses of Django.

The (POSIX) user under which the application runs needs access to the password anyway, so it's hard to provide much more security than chowning settings.py to this user and chmodding to 400.

Marking as DDN, but I think core devs will say "wontfix".

Thanks for the suggestion!

[Russell Keith-Magee]

1. First off, *PLEASE* don't report security issues to Trac. If you think you have found a security issue, it should be reported to security@…, just like it says on the new ticket page.

2. Like aaugustin says, this isn't a security issue. If an attacker is in a position where they can read your settings.py file, the battle is already lost.

3. If you still want to use a different authentication method, you have that flexibility. The only part of settings.py that specifies a username and password is the database backend, and they are plugabble, so you can implement your own backend with your own authentication method if you want.

If you implement a pluggable backend with a custom authentication scheme and want to contribute it to trunk, we *might* consider adding it to trunk (depending on complexity, efficacy, etc), but otherwise, having this as an open ticket won't actually progress anything. Marking wontfix, as aaugustin suggested.