Opened 3 years ago
Closed 2 years ago
#33606 closed Cleanup/optimization (fixed)
Session ID should be cleansed from error reporting
| Reported by: | Tobias Bengfort | Owned by: | Tobias Bengfort |
|---|---|---|---|
| Component: | Error reporting | Version: | 4.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
the session ID should be cleansed when reporting errors, just like other credentials. A patch is available at https://github.com/django/django/pull/15352.
See also #29714 and https://groups.google.com/g/django-developers/c/H5hJxpwYFcw.
A quick github search yielded multiple occasions where session IDs ended up in public bug reports:
https://github.com/GibbsConsulting/django-plotly-dash/issues/376
https://github.com/ome/omero-mapr/issues/42
https://github.com/jhelbert/great_teaching_network/issues/220
https://github.com/dzone/osqa/issues/355
I am sure you could find many more. This could potentially be exploited by automatically searching for such requests and hijacking the associated accounts.
Change History (6)
comment:1 by , 3 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|---|
| Type: | Bug → Cleanup/optimization |
comment:2 by , 3 years ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 years ago
| Needs documentation: | set |
|---|
comment:4 by , 2 years ago
| Needs documentation: | unset |
|---|
comment:5 by , 2 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:6 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
In 350455b6: