Commits

ja...@bcc190cf-cafb-0310-a4f2-bffc1f526a37  committed baa6fa9

Fixed #799: any setting with "SECRET" or "PASSWORD" in the name is escaped in the debug view output (this can be expanded if there are other "naughty words" we want to strip out in the future. Thanks, Ian

  • Participants
  • Parent commits 17a2d1c

Comments (0)

Files changed (1)

File django/views/debug.py

+import re
 import os
 import sys
 import inspect
 from django.core.template import Template, Context
 from django.utils.httpwrappers import HttpResponseServerError, HttpResponseNotFound
 
+HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD')
+
 def technical_500_response(request, exc_type, exc_value, tb):
     """
     Create a technical server error response.  The last three arguments are
             'pre_context_lineno' : pre_context_lineno,
         })
         tb = tb.tb_next
-        
+    
+    # Turn the settings module into a dict, filtering out anything that 
+    # matches HIDDEN_SETTINGS along the way.
+    settings_dict = {}
+    for k in dir(settings):
+        if k.isupper():
+            if HIDDEN_SETTINGS.search(k):
+                settings_dict[k] = '********************'
+            else:
+                settings_dict[k] = getattr(settings, k)
+                
     t = Template(TECHNICAL_500_TEMPLATE)
     c = Context({
         'exception_type' : exc_type.__name__,
         'lastframe' : frames[-1],
         'request' : request,
         'request_protocol' : os.environ.get("HTTPS") == "on" and "https" or "http",
-        'settings' : dict([(k, getattr(settings, k)) for k in dir(settings) if k.isupper()]),
+        'settings' : settings_dict,
         
     })
     return HttpResponseServerError(t.render(c))