Re: [Django] #36542: AdminSite views (such as login) leak sensitive POST data

Sun, 05 Apr 2026 00:46:14 -0700 

#36542: AdminSite views (such as login) leak sensitive POST data
-------------------------------------+-------------------------------------
     Reporter:  Olivier Dalang       |                    Owner:  (James)
                                     |  Kanin Kearpimy
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  5.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by kanin.kearpimy@…):

 Hi everyone,

 I found interesting bug for `reset password`. Well, this card relates to
 `login` mainly but reporter left comments of `reset password` scenario as
 well. So, I have a look at it.

 Please see diagram below for clarification.

 [[Image(https://i.postimg.cc/ZRvWWjfW/django-ticket-36542.jpg)]]

 For `login` scenario, it's simpler, because when user hit login, it would
 invoke `authenticate` function to auth such user a credential. If database
 throw error, we can use `sensitive_variables("password")` to hide
 `password-y` local variables in relating methods which I did in current
 [PR](https://github.com/django/django/pull/20959).

 However, `reset password` scenario is another story. because only
 **authenticating user** is able to **reset** their password, system
 attempts to get user information via `get_user`. If database throw error
 there, it will directly go to `debug` page, no going to authenticate or
 any functions holding `password-y` local variables. So,
 `sensitive_variables("password")` doesn't work out this scenario (I tried
 added once, it doesn't work).

 Technically, we can hide it in `debug.py` or need time to investigate
 more. But I'm not sure it will be too complicated for this ticket (or we
 can open it as another issue)?

 Please suggest
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36542#comment:15>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019d5c9b225c-0439c823-5d1b-4ce5-821f-5f11e3a693da-000000%40eu-central-1.amazonses.com.

Reply via email to