#35930: Database password visible on debug page
-------------------------------------+-------------------------------------
Reporter: bytej4ck | Owner: (none)
Type: Bug | Status: new
Component: Error reporting | Version:
Severity: Normal | Resolution:
Keywords: db, password, | Triage Stage:
exposed | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by bytej4ck):
* resolution: needsinfo =>
* status: closed => new
* summary: Database password visible on debug page (view source only) =>
Database password visible on debug page
* version: 4.1 =>
Old description:
> In debug page view, secrets are not visible due to masked with '*' but in
> view page source db password is visible:
> [[Image(https://github.com/user-attachments/assets/a7504c2e-99b4-4268
> -8eab-1858742105ec)]]
>
> Password length: 99
> Characters: All password requirements including all symbols.
New description:
In debug page view, secrets are not visible due to masked with '*'. When
there is mysql db connection error due to unreachable db server:
self.connection = self.get_new_connection(conn_params) exposes db password
under `Local vars` dropdown.
{{{
conn_params {'charset': 'utf8mb4',
'client_flag': 2,
'conv': {0: <class 'decimal.Decimal'>,
1: <class 'int'>,
2: <class 'int'>,
3: <class 'int'>,
4: <class 'float'>,
5: <class 'float'>,
7: <function DateTime_or_None at 0x7f6218e5b490>,
8: <class 'int'>,
9: <class 'int'>,
10: <function Date_or_None at 0x7f6218e5b640>,
11: <function typecast_time at 0x7f6219d803a0>,
12: <function DateTime_or_None at 0x7f6218e5b490>,
13: <class 'int'>,
15: <class 'bytes'>,
245: <class 'bytes'>,
246: <class 'decimal.Decimal'>,
249: <class 'bytes'>,
250: <class 'bytes'>,
251: <class 'bytes'>,
252: <class 'bytes'>,
253: <class 'bytes'>,
254: <class 'bytes'>,
<class 'array.array'>: <function array2Str at 0x7f6218e84160>,
<class 'decimal.Decimal'>: <function Decimal2Literal at
0x7f6218e840d0>,
<class 'datetime.date'>: <function Thing2Literal at
0x7f6218e84040>,
<class 'datetime.datetime'>: <function DateTime2literal at
0x7f6218e5b6d0>,
<class 'datetime.timedelta'>: <function DateTimeDelta2literal at
0x7f6218e5b760>,
<class 'set'>: <function Set2Str at 0x7f6218e5bd90>,
<class 'NoneType'>: <function None2NULL at 0x7f6218e5bf40>,
<class 'int'>: <function Thing2Str at 0x7f6218e5be20>,
<class 'float'>: <function Float2Str at 0x7f6218e5beb0>,
<class 'bool'>: <function Bool2Str at 0x7f6218e5bc70>},
'database': 'test-db',
'password': 'test_password',
'unix_socket': '/example/test-db',
'user': 'example_user'}
}}}
Would be better if all db credentials in debug mode should be masked also
with '*'.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/35930#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019357b9aa50-77c3bbaa-a508-4044-aea9-8768cf02511f-000000%40eu-central-1.amazonses.com.
