Fixed #33606 -- Cleansed sessionid cookie

[xi]

Ticket: https://code.djangoproject.com/ticket/33606

The session ID should be cleansed when reporting errors, just like other credentials.

Related to https://code.djangoproject.com/ticket/29714 Discussion on the mailing list: https://groups.google.com/g/django-developers/c/H5hJxpwYFcw

A quick github search yields multiple occasions where session IDs ended up in public bug reports. This could potentially be exploited by automatically searching for such requests and hijacking the associated accounts.

Note that in order to be effective we need to cleanse both request_COOKIES_items and request_meta['HTTP_COOKIE'].

[charettes]

Hello Tobias, thank you for submitting a PR after the discussion on the mailing list.

Could you possibly file a standalone ticket to track these changes as ticket-29714 was mainly about making ExceptionReporter easier to extend and not to track all future extension to it.

Thanks!

[xi]

I have one :thinking: — should the extra filtering for HTTP_COOKIE and settings.SESSION_COOKIE_NAME live in the specific methods, get_safe_request_meta() and get_safe_cookies() respectively, rather than being added to the cleanse_setting() helper? (I can go either way: just asking thoughts.)

I think both ways have benefits. What I like about the current approach is that it is consistent and therefore predictable. The only issue I see with that is the name cleanse_setting() because this is not limited to settings. Maybe this should simply be called cleanse().

Just my 2 cents, I think this is out of scope for this PR.

[jacobtylerwalls]

Hi @xi this dropped under the radar because the ticket still was flagged as Needs documentation. Now that 4.1 is released, it would be helpful if you could update the release note to 4.2 and unset Needs documentation on the ticket to show this as ripe for re-review. Thanks.

[xi]

Thanks for the reminder! I rebased the chanes and moved the changelog entry to 4.2