Exact Hawk errors are sent to the client with 401 responses #11

Closed
kumar303 opened this Issue Oct 1, 2015 · 0 comments

Comments

Projects
None yet
1 participant
@kumar303
Owner

kumar303 commented Oct 1, 2015

I guess this wasn't documented too well in DRF (or I'm just dumb 馃挕) but exception values are sent as a response to the client, resulting in things like:

<Response [401]>
{"detail":"access denied: MacMismatch: MACs do not match; ours: mbWCYE2x2BwEw3BHbtscUOVy0lgI9mO+Tj9oKRrvySs=; theirs: 5tqRSdX+ev+oumz2/+saKY3Xrgf8kmFDqAXzCn5tigg="}

This is a potential security problem because it might give the attacker enough clues to figure break the keys.

kumar303 added a commit that referenced this issue Oct 1, 2015

kumar303 added a commit that referenced this issue Oct 1, 2015

@kumar303 kumar303 closed this in 9dd7fd9 Oct 1, 2015

kumar303 added a commit that referenced this issue Oct 1, 2015

Merge pull request #12 from kumar303/error-response
Don't leak exception info to response (fixes #11)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment