Re: [Django] #36542: AdminSite views (such as login) leak sensitive POST data

Wed, 08 Apr 2026 09:33:21 -0700 

#36542: AdminSite views (such as login) leak sensitive POST data
-------------------------------------+-------------------------------------
     Reporter:  Olivier Dalang       |                    Owner:  (James)
                                     |  Kanin Kearpimy
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.admin        |                  Version:  5.2
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by kanin.kearpimy@…):

 Replying to [comment:16 Jacob Walls]:
 > > So, sensitive_variables("password") doesn't work out this scenario (I
 tried added once, it doesn't work).
 >
 > Can you add the stacktrace? I'm wondering if the failure you are
 simulating is causing errors inside `SessionMiddleware`, which would point
 at a larger design problem where `sensitive_post_parameters` is useless if
 a failure happens in middleware and we never reach the view. In which
 case, definitely out of scope for your issue here.

 I found it. Well, it depends on exception level in stack trace. For normal
 situation, `change_password` method raises exception, we can guard it
 there like [https://github.com/django/django/pull/20959/changes#diff-
 0b9b76020bca57d146eddea5c47e1e6a99744ce287a365e18a0d7685dd268f18R352-R354].

 However, some exception can raise at `get_user` middleware as well. For
 example, while user is logging in and Django can't access database / table
 of such database.

 Now, My PR only guard for `views` cases like Admin login view /
 change_password view. Should be enough for this ticket? Otherwise, I can
 also investigate more into middleware.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36542#comment:17>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019d6df00dbe-f9d9aa7d-5f81-42f6-8875-5037283178c1-000000%40eu-central-1.amazonses.com.

Reply via email to