#36542: AdminSite views (such as login) leak sensitive POST data
-------------------------------------+-------------------------------------
Reporter: Olivier Dalang | Owner: (James)
| Kanin Kearpimy
Type: Bug | Status: assigned
Component: contrib.admin | Version: 5.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Timothy Schilling):
@Tim, it looks like the documentation you're looking for exists at
https://docs.djangoproject.com/en/6.0/topics/logging/#adminemailhandler
> The built-in AdminEmailHandler deserves a mention in the context of
security. If its include_html option is enabled, the email message it
sends will contain a full traceback, with names and values of local
variables at each level of the stack, plus the values of your Django
settings (in other words, the same level of detail that is exposed in a
web page when DEBUG is True).
@kanin, I agree with your conclusion of "So, it's good idea to imitate the
#35930 approach and cover up all auth app function with local password-y
variables?". This seems like the better approach since it highlights on
the view which parameters need to be sanitized because the decorator is
physically close to it.
--
Ticket URL: <https://code.djangoproject.com/ticket/36542#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019d3980e49e-1a99f4ec-098c-42dd-bb9d-58be18e78935-000000%40eu-central-1.amazonses.com.
