Context Navigation

← Previous Ticket
Next Ticket →

#31451 closed Cleanup/optimization (fixed)

Settings are cleaned insufficiently.

Reported by:	Markus Holtermann	Owned by:	Ichlasul Affan
Component:	Error reporting	Version:	dev
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Posting publicly after checking with the rest of the security team.

I just ran into a case where django.views.debug.SafeExceptionReporterFilter.get_safe_settings() would return several un-cleansed values. Looking at cleanse_setting() I realized that we only take care of `dict`s but don't take other types of iterables into account but return them as-is.

Example:

In my settings.py I have this:

MY_SETTING = {
    "foo": "value",
    "secret": "value",
    "token": "value",
    "something": [
        {"foo": "value"},
        {"secret": "value"},
        {"token": "value"},
    ],
    "else": [
        [
            {"foo": "value"},
            {"secret": "value"},
            {"token": "value"},
        ],
        [
            {"foo": "value"},
            {"secret": "value"},
            {"token": "value"},
        ],
    ]
}

On Django 3.0 and below:

>>> import pprint
>>> from django.views.debug import get_safe_settings
>>> pprint.pprint(get_safe_settings()["MY_SETTING"])
{'else': [[{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}],
          [{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}]],
 'foo': 'value',
 'secret': '********************',
 'something': [{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}],
 'token': '********************'}

On Django 3.1 and up:

>>> from django.views.debug import SafeExceptionReporterFilter
>>> import pprint
>>> pprint.pprint(SafeExceptionReporterFilter().get_safe_settings()["MY_SETTING"])
{'else': [[{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}],
          [{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}]],
 'foo': 'value',
 'secret': '********************',
 'something': [{'foo': 'value'}, {'secret': 'value'}, {'token': 'value'}],
 'token': '********************'}

Change History (7)

comment:1 by Mariusz Felisiak, 5 years ago

Summary:	Settings are cleaned insufficiently → Settings are cleaned insufficiently.
Triage Stage:	Unreviewed → Accepted

comment:2 by Ichlasul Affan, 5 years ago

Owner:	set to Ichlasul Affan
Status:	new → assigned

comment:3 by Ichlasul Affan, 5 years ago

Do I need to change both versions? Or just create a single implementation for current master branch?

comment:4 by Ichlasul Affan, 5 years ago

comment:5 by Ichlasul Affan, 5 years ago

Has patch:	set

comment:6 by Mariusz Felisiak, 5 years ago

Triage Stage:	Accepted → Ready for checkin

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 3e7c39f7:

Fixed #31451 -- Made settings cleansing work with list and tuple settings.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues

Context Navigation

#31451 closed Cleanup/optimization (fixed)

Settings are cleaned insufficiently.

Description

Change History (7)

comment:1 by Mariusz Felisiak, 5 years ago

comment:2 by Ichlasul Affan, 5 years ago

comment:3 by Ichlasul Affan, 5 years ago

comment:4 by Ichlasul Affan, 5 years ago

comment:5 by Ichlasul Affan, 5 years ago

comment:6 by Mariusz Felisiak, 5 years ago

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

Download in other formats:

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us