Email report of 500 error at /accounts/login/ shows the entered password in plain text

[jogwen]

Happened as a result of situation described in the separate Issue report 1868. After the full traceback, the email showed the following (note the password value entered by the user - shown in plain text):

Request repr():
<WSGIRequest
path:/accounts/login/,
GET:<QueryDict: {u'next': [u'/contact-us/']}>,
POST:<QueryDict: {u'username': [u'g.smith@example.com'], u'referrer': [u'https://example.com/contact-us/'], u'csrfmiddlewaretoken': [u'ejnpimakedhajhdlcegeplioahd'], u'password': [u'orangesAnd5Lemons']}>,

Django's version of the view that covers this is protected by the sensitive_post_parameters decorator, so that the values of POST parameters never appear in the emailed error report.

[jerivas]

So is it a matter of just decorating the view?

[jogwen]

I think so yes, but the slightly trickier bit might be figuring out which methods to decorate and for each one whether to protect only some variables (in which case supply their names as arguments to the decorator) or all the variables (supply no arguments to decorator). Try grepping the django code for sensitive_post_parameters and sensitive_variables to see how they do it there, and then figure out which of those methods have been 'replaced' in Mezzanine.

[jerivas]

Looks like we just need to decorate login, signup, and profile_update on the account views. The sensitive fields are password on LoginForm and password1, password2 on ProfileForm.

Would you like to contribute a PR?

[jerivas]

That’s the impression I got from reading the documentation. Please go ahead and submit a PR :) From: Vaibhav Gupta Sent: Monday, October 1, 2018 1:45 PM To: stephenmcd/mezzanine Cc: Ed Rivas; Mention Subject: Re: [stephenmcd/mezzanine] Email report of 500 error at/accounts/login/ shows the entered password in plain text (#1869) @jerivas If it is just decorating the views, I would like to do this so as to get started with this project. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

…

-- Confidentiality Notice: The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. - Please do not print this email unless it is necessary. Every unprinted email helps the environment. -

[github-actions]

🎉 This issue has been resolved in version 5.0.0 🎉

The release is available on:

• GitHub release
• v5.0.0

Your semantic-release bot 📦🚀