Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #799: any setting with "SECRET" or "PASSWORD" in the name is es…

…caped in the debug view output (this can be expanded if there are other "naughty words" we want to strip out in the future. Thanks, Ian

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1242 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit d6aa904487527d468a6b8bc097028d7af9a668e6 1 parent 705a568
@jacobian jacobian authored
Showing with 15 additions and 2 deletions.
  1. +15 −2 django/views/debug.py
View
17 django/views/debug.py
@@ -1,3 +1,4 @@
+import re
import os
import sys
import inspect
@@ -6,6 +7,8 @@
from django.core.template import Template, Context
from django.utils.httpwrappers import HttpResponseServerError, HttpResponseNotFound
+HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD')
+
def technical_500_response(request, exc_type, exc_value, tb):
"""
Create a technical server error response. The last three arguments are
@@ -30,7 +33,17 @@ def technical_500_response(request, exc_type, exc_value, tb):
'pre_context_lineno' : pre_context_lineno,
})
tb = tb.tb_next
-
+
+ # Turn the settings module into a dict, filtering out anything that
+ # matches HIDDEN_SETTINGS along the way.
+ settings_dict = {}
+ for k in dir(settings):
+ if k.isupper():
+ if HIDDEN_SETTINGS.search(k):
+ settings_dict[k] = '********************'
+ else:
+ settings_dict[k] = getattr(settings, k)
+
t = Template(TECHNICAL_500_TEMPLATE)
c = Context({
'exception_type' : exc_type.__name__,
@@ -39,7 +52,7 @@ def technical_500_response(request, exc_type, exc_value, tb):
'lastframe' : frames[-1],
'request' : request,
'request_protocol' : os.environ.get("HTTPS") == "on" and "https" or "http",
- 'settings' : dict([(k, getattr(settings, k)) for k in dir(settings) if k.isupper()]),
+ 'settings' : settings_dict,
})
return HttpResponseServerError(t.render(c))

0 comments on commit d6aa904

Please sign in to comment.
Something went wrong with that request. Please try again.