Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
HideSensitiveMiddleware: Hide passwords on middleware errors
It turns out that an exception in middleware (such as a CSRF failure) can bypass the hiding of sensitive post parameters (e.g. passwords in the login form). This adds a middleware that ensures that (unless the view specifies differently), the 'password' parameter is always hidden from error output (and for views that *do* specify differently, it is hidden also before the view is executed). Part of this (view middleware) could be fixed in Django https://code.djangoproject.com/ticket/33090, but this new middleware adds a bit more protection for exceptions before the view is even known.
- Loading branch information