summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorJulien Phalip <jphalip@gmail.com>2012-12-31 09:34:08 -0800
committerJulien Phalip <jphalip@gmail.com>2012-12-31 09:51:13 -0800
commitdfd8623de4e225e33c334086ff4e2ccdfb07247f (patch)
tree318b722bb3212031bfd33f0fb6bba9ed6415210e /django
parentfd1279a44df3b9a837453cd79fd0fbcf81bae39d (diff)
[1.5.x] Fixed #19453 -- Ensured that the decorated function's arguments are obfuscated in the @sensitive_variables decorator's frame, in case the variables associated with those arguments were meant to be obfuscated from the decorated function's frame.
Thanks to vzima for the report. Backport of 9180146d21cf2a31eec
Diffstat (limited to 'django')
-rw-r--r--django/views/debug.py22
-rw-r--r--django/views/decorators/debug.py4
2 files changed, 17 insertions, 9 deletions
diff --git a/django/views/debug.py b/django/views/debug.py
index aaa7e40efe..e5f4c70191 100644
--- a/django/views/debug.py
+++ b/django/views/debug.py
@@ -172,13 +172,12 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter):
break
current_frame = current_frame.f_back
- cleansed = []
+ cleansed = {}
if self.is_active(request) and sensitive_variables:
if sensitive_variables == '__ALL__':
# Cleanse all variables
for name, value in tb_frame.f_locals.items():
- cleansed.append((name, CLEANSED_SUBSTITUTE))
- return cleansed
+ cleansed[name] = CLEANSED_SUBSTITUTE
else:
# Cleanse specified variables
for name, value in tb_frame.f_locals.items():
@@ -187,16 +186,25 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter):
elif isinstance(value, HttpRequest):
# Cleanse the request's POST parameters.
value = self.get_request_repr(value)
- cleansed.append((name, value))
- return cleansed
+ cleansed[name] = value
else:
# Potentially cleanse only the request if it's one of the frame variables.
for name, value in tb_frame.f_locals.items():
if isinstance(value, HttpRequest):
# Cleanse the request's POST parameters.
value = self.get_request_repr(value)
- cleansed.append((name, value))
- return cleansed
+ cleansed[name] = value
+
+ if (tb_frame.f_code.co_name == 'sensitive_variables_wrapper'
+ and 'sensitive_variables_wrapper' in tb_frame.f_locals):
+ # For good measure, obfuscate the decorated function's arguments in
+ # the sensitive_variables decorator's frame, in case the variables
+ # associated with those arguments were meant to be obfuscated from
+ # the decorated function's frame.
+ cleansed['func_args'] = CLEANSED_SUBSTITUTE
+ cleansed['func_kwargs'] = CLEANSED_SUBSTITUTE
+
+ return cleansed.items()
class ExceptionReporter(object):
"""
diff --git a/django/views/decorators/debug.py b/django/views/decorators/debug.py
index 5c222963d3..78ae6b1442 100644
--- a/django/views/decorators/debug.py
+++ b/django/views/decorators/debug.py
@@ -26,12 +26,12 @@ def sensitive_variables(*variables):
"""
def decorator(func):
@functools.wraps(func)
- def sensitive_variables_wrapper(*args, **kwargs):
+ def sensitive_variables_wrapper(*func_args, **func_kwargs):
if variables:
sensitive_variables_wrapper.sensitive_variables = variables
else:
sensitive_variables_wrapper.sensitive_variables = '__ALL__'
- return func(*args, **kwargs)
+ return func(*func_args, **func_kwargs)
return sensitive_variables_wrapper
return decorator