#37170: No-argument form of @sensitive_post_parameters() doesn't cleanse
request.POST
---------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Error reporting | Version: dev
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------
Description changed by Jacob Walls:
Old description:
> The Security Team closed an informative report about the no-argument form
> of `@sensitive_post_parameters()` not cleansing request.POST, as you can
> see from adjusting this existing test:
>
> {{{#!diff
> diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py
> index 1986341177..835fe22111 100644
> --- a/tests/view_tests/views.py
> +++ b/tests/view_tests/views.py
> @@ -398,7 +398,7 @@ async def
> async_sensitive_method_view_nested(request):
>
> @sensitive_variables("sauce")
> -@sensitive_post_parameters("bacon-key", "sausage-key")
> +@sensitive_post_parameters()
> def multivalue_dict_key_error(request):
> cooked_eggs = "".join(["s", "c", "r", "a", "m", "b", "l", "e", "d"])
> # NOQA
> sauce = "".join( # NOQA
> }}}
> {{{#!py
> AssertionError: 2 != 0 :'sausage-value' unexpectedly found in the
> following response
> }}}
>
> ... but the exception reporter filter is not in-scope for security
> issues, as filtering is done on a
> [https://docs.djangoproject.com/en/dev/howto/error-reporting/#filtering-
> error-reports best-efforts basis].
>
> Looks like an oversight in #21098.
New description:
The Security Team closed an informative report about the no-argument form
of `@sensitive_post_parameters()` not cleansing request.POST, as you can
see from adjusting this existing test:
{{{#!diff
diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py
index 1986341177..835fe22111 100644
--- a/tests/view_tests/views.py
+++ b/tests/view_tests/views.py
@@ -398,7 +398,7 @@ async def async_sensitive_method_view_nested(request):
@sensitive_variables("sauce")
-@sensitive_post_parameters("bacon-key", "sausage-key")
+@sensitive_post_parameters()
def multivalue_dict_key_error(request):
cooked_eggs = "".join(["s", "c", "r", "a", "m", "b", "l", "e", "d"])
# NOQA
sauce = "".join( # NOQA
}}}
{{{#!py
AssertionError: 2 != 0 :'sausage-value' unexpectedly found in the
following response
}}}
... but the exception reporter filter is not in-scope for security issues,
as filtering is done on a [https://docs.djangoproject.com/en/dev/howto
/error-reporting/#filtering-error-reports best-efforts basis].
Looks like an oversight in #21098.
Thanks LocalHost for the report.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/37170#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019ecbcaa227-5c870c99-5e7d-42d4-9987-9118b99eeb49-000000%40eu-central-1.amazonses.com.
