Skip to content
Browse files

Fixed #799: any setting with "SECRET" or "PASSWORD" in the name is es…

…caped in the debug view output (this can be expanded if there are other "naughty words" we want to strip out in the future. Thanks, Ian

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1242 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent 705a568 commit d6aa904487527d468a6b8bc097028d7af9a668e6 @jacobian jacobian committed
Showing with 15 additions and 2 deletions.
  1. +15 −2 django/views/debug.py
View
17 django/views/debug.py
@@ -1,3 +1,4 @@
+import re
import os
import sys
import inspect
@@ -6,6 +7,8 @@
from django.core.template import Template, Context
from django.utils.httpwrappers import HttpResponseServerError, HttpResponseNotFound
+HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD')
+
def technical_500_response(request, exc_type, exc_value, tb):
"""
Create a technical server error response. The last three arguments are
@@ -30,7 +33,17 @@ def technical_500_response(request, exc_type, exc_value, tb):
'pre_context_lineno' : pre_context_lineno,
})
tb = tb.tb_next
-
+
+ # Turn the settings module into a dict, filtering out anything that
+ # matches HIDDEN_SETTINGS along the way.
+ settings_dict = {}
+ for k in dir(settings):
+ if k.isupper():
+ if HIDDEN_SETTINGS.search(k):
+ settings_dict[k] = '********************'
+ else:
+ settings_dict[k] = getattr(settings, k)
+
t = Template(TECHNICAL_500_TEMPLATE)
c = Context({
'exception_type' : exc_type.__name__,
@@ -39,7 +52,7 @@ def technical_500_response(request, exc_type, exc_value, tb):
'lastframe' : frames[-1],
'request' : request,
'request_protocol' : os.environ.get("HTTPS") == "on" and "https" or "http",
- 'settings' : dict([(k, getattr(settings, k)) for k in dir(settings) if k.isupper()]),
+ 'settings' : settings_dict,
})
return HttpResponseServerError(t.render(c))

0 comments on commit d6aa904

Please sign in to comment.
Something went wrong with that request. Please try again.