Skip to content
Permalink
Browse files Browse the repository at this point in the history
HideSensitiveMiddleware: Hide passwords on middleware errors
It turns out that an exception in middleware (such as a CSRF failure)
can bypass the hiding of sensitive post parameters (e.g. passwords in
the login form).

This adds a middleware that ensures that (unless the view specifies
differently), the 'password' parameter is always hidden from error
output (and for views that *do* specify differently, it is hidden also
before the view is executed).

Part of this (view middleware) could be fixed in Django
https://code.djangoproject.com/ticket/33090, but this new middleware
adds a bit more protection for exceptions before the view is even known.
  • Loading branch information
matthijskooijman committed Aug 12, 2022
1 parent d599824 commit 0221114
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
20 changes: 20 additions & 0 deletions arta/common/middleware.py
@@ -0,0 +1,20 @@
from django.utils.deprecation import MiddlewareMixin


class HideSensitiveMiddleware(MiddlewareMixin):
"""
Hide sensitive post variables.
Django has a mechanism to hide these on a per-view basis, but this makes sure that the variables listed here are
hidden even on errors in middleware (i.e. before the view is ran).
In part, this is a workaround around https://code.djangoproject.com/ticket/33090, but even with that fixed, this
middleware adds a bit extra security for exceptions that are triggered before the view is even known.
Note that this value is overwritten once a view that has its own sensitive_post_variables specified is ran, but
that should be ok, the view should then know better.
"""

def __call__(self, request):
request.sensitive_post_parameters = ['password']
return super().__call__(request)
4 changes: 4 additions & 0 deletions arta/settings/production.py
Expand Up @@ -98,3 +98,7 @@
# TODO: A day is probably too long already, in Django (the upcoming) 3.1 this can be
# specified in seconds instead.
PASSWORD_RESET_TIMEOUT_DAYS = 1

# Add extra protection for passwords, partially to work around https://code.djangoproject.com/ticket/33090 but also to
# add even a bit more protection. Must be first to maximise coverage.
MIDDLEWARE.append(0, 'arta.common.middleware.HideSensitiveMiddleware')

0 comments on commit 0221114

Please sign in to comment.