django
django copied to clipboard
Fixed #33606 -- Cleansed sessionid cookie
Ticket: https://code.djangoproject.com/ticket/33606
The session ID should be cleansed when reporting errors, just like other credentials.
Related to https://code.djangoproject.com/ticket/29714 Discussion on the mailing list: https://groups.google.com/g/django-developers/c/H5hJxpwYFcw
A quick github search yields multiple occasions where session IDs ended up in public bug reports. This could potentially be exploited by automatically searching for such requests and hijacking the associated accounts.
Note that in order to be effective we need to cleanse both request_COOKIES_items
and request_meta['HTTP_COOKIE']
.
Hello Tobias, thank you for submitting a PR after the discussion on the mailing list.
Could you possibly file a standalone ticket to track these changes as ticket-29714 was mainly about making ExceptionReporter
easier to extend and not to track all future extension to it.
Thanks!
I have one :thinking: — should the extra filtering for
HTTP_COOKIE
andsettings.SESSION_COOKIE_NAME
live in the specific methods,get_safe_request_meta()
andget_safe_cookies()
respectively, rather than being added to thecleanse_setting()
helper? (I can go either way: just asking thoughts.)
I think both ways have benefits. What I like about the current approach is that it is consistent and therefore predictable. The only issue I see with that is the name cleanse_setting()
because this is not limited to settings. Maybe this should simply be called cleanse()
.
Just my 2 cents, I think this is out of scope for this PR.
Hi @xi this dropped under the radar because the ticket still was flagged as Needs documentation. Now that 4.1 is released, it would be helpful if you could update the release note to 4.2 and unset Needs documentation on the ticket to show this as ripe for re-review. Thanks.
Thanks for the reminder! I rebased the chanes and moved the changelog entry to 4.2