diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2011-06-08 22:18:46 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2011-06-08 22:18:46 +0000 |
| commit | 45e55b91435541203f517770c654675f67fa6a3b (patch) | |
| tree | b11800b084b32d91cf3a59cd40993c9b05503321 /docs | |
| parent | bb12a02bd8cd6e33b947b2cfa01292822099bb19 (diff) | |
Fixed #14614 - filtering of sensitive information in 500 error reports.
This adds a flexible mechanism for filtering what request/traceback
information is shown in 500 error emails and logs. It also applies
screening to some views known to be sensitive e.g. views that handle
passwords.
Thanks to oaylanc for the report and many thanks to Julien Phalip for the
patch and the rest of the work on this.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16339 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/howto/error-reporting.txt | 191 | ||||
| -rw-r--r-- | docs/ref/request-response.txt | 2 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 11 | ||||
| -rw-r--r-- | docs/releases/1.4.txt | 20 | ||||
| -rw-r--r-- | docs/topics/logging.txt | 4 |
5 files changed, 215 insertions, 13 deletions
diff --git a/docs/howto/error-reporting.txt b/docs/howto/error-reporting.txt index c15c1d872d..957d977364 100644 --- a/docs/howto/error-reporting.txt +++ b/docs/howto/error-reporting.txt @@ -1,5 +1,5 @@ -Error reporting via email -========================= +Error reporting +=============== When you're running a public site you should always turn off the :setting:`DEBUG` setting. That will make your server run much faster, and will @@ -9,11 +9,14 @@ revealed by the error pages. However, running with :setting:`DEBUG` set to ``False`` means you'll never see errors generated by your site -- everyone will just see your public error pages. You need to keep track of errors that occur in deployed sites, so Django can be -configured to email you details of those errors. +configured to create reports with details about those errors. -Server errors +Email reports ------------- +Server errors +~~~~~~~~~~~~~ + When :setting:`DEBUG` is ``False``, Django will email the users listed in the :setting:`ADMINS` setting whenever your code raises an unhandled exception and results in an internal server error (HTTP status code 500). This gives the @@ -48,7 +51,7 @@ setting. </topics/logging>`. 404 errors ----------- +~~~~~~~~~~ Django can also be configured to email errors about broken links (404 "page not found" errors). Django sends emails about 404 errors when: @@ -96,13 +99,6 @@ The best way to disable this behavior is to set .. seealso:: - You can also set up custom error reporting by writing a custom piece of - :ref:`exception middleware <exception-middleware>`. If you do write custom - error handling, it's a good idea to emulate Django's built-in error handling - and only report/log errors if :setting:`DEBUG` is ``False``. - -.. seealso:: - .. versionadded:: 1.3 404 errors are logged using the logging framework. By default, these log @@ -116,3 +112,174 @@ The best way to disable this behavior is to set Previously, two settings were used to control which URLs not to report: :setting:`IGNORABLE_404_STARTS` and :setting:`IGNORABLE_404_ENDS`. They were replaced by :setting:`IGNORABLE_404_URLS`. + +.. _filtering-error-reports: + +Filtering error reports +----------------------- + +.. versionadded:: 1.4 + +Filtering sensitive information +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Error reports are really helpful for debugging errors, so it is generally +useful to record as much relevant information about those errors as possible. +For example, by default Django records the `full traceback`_ for the +exception raised, each `traceback frame`_'s local variables, and the +:class:`HttpRequest`'s :ref:`attributes<httprequest-attributes>`. + +However, sometimes certain types of information may be too sensitive and thus +may not be appropriate to be kept track of, for example a user's password or +credit card number. So Django offers a set of function decorators to help you +control which information should be filtered out of error reports in a +production environment (that is, where :setting:`DEBUG` is set to ``False``): +:func:`sensitive_variables` and :func:`sensitive_post_parameters`. + +.. _`full traceback`: http://en.wikipedia.org/wiki/Stack_trace +.. _`traceback frame`: http://en.wikipedia.org/wiki/Stack_frame + +.. function:: sensitive_variables(*variables) + + If a function (either a view or any regular callback) in your code uses + local variables susceptible to contain sensitive information, you may + prevent the values of those variables from being included in error reports + using the ``sensitive_variables`` decorator: + + .. code-block:: python + + from django.views.decorators.debug import sensitive_variables + + @sensitive_variables('user', 'pw', 'cc') + def process_info(user): + pw = user.pass_word + cc = user.credit_card_number + name = user.name + ... + + In the above example, the values for the ``user``, ``pw`` and ``cc`` + variables will be hidden and replaced with stars (`**********`) in the + error reports, whereas the value of the ``name`` variable will be + disclosed. + + To systematically hide all local variables of a function from error logs, + do not provide any argument to the ``sensitive_variables`` decorator: + + .. code-block:: python + + @sensitive_variables() + def my_function(): + ... + +.. function:: sensitive_post_parameters(*parameters) + + If one of your views receives an :class:`HttpRequest` object with + :attr:`POST parameters<HttpRequest.POST>` susceptible to contain sensitive + information, you may prevent the values of those parameters from being + included in the error reports using the ``sensitive_post_parameters`` + decorator: + + .. code-block:: python + + from django.views.decorators.debug import sensitive_post_parameters + + @sensitive_post_parameters('pass_word', 'credit_card_number') + def record_user_profile(request): + UserProfile.create(user=request.user, + password=request.POST['pass_word'], + credit_card=request.POST['credit_card_number'], + name=request.POST['name']) + ... + + In the above example, the values for the ``pass_word`` and + ``credit_card_number`` POST parameters will be hidden and replaced with + stars (`**********`) in the request's representation inside the error + reports, whereas the value of the ``name`` parameter will be disclosed. + + To systematically hide all POST parameters of a request in error reports, + do not provide any argument to the ``sensitive_post_parameters`` decorator: + + .. code-block:: python + + @sensitive_post_parameters() + def my_view(request): + ... + +.. note:: + + .. versionchanged:: 1.4 + + Since version 1.4, all POST parameters are systematically filtered out of + error reports for certain :mod:`contrib.views.auth` views (``login``, + ``password_reset_confirm``, ``password_change``, and ``add_view`` and + ``user_change_password`` in the ``auth`` admin) to prevent the leaking of + sensitive information such as user passwords. + +.. _custom-error-reports: + +Custom error reports +~~~~~~~~~~~~~~~~~~~~ + +All :func:`sensitive_variables` and :func:`sensitive_post_parameters` do is, +respectively, annotate the decorated function with the names of sensitive +variables and annotate the ``HttpRequest`` object with the names of sensitive +POST parameters, so that this sensitive information can later be filtered out +of reports when an error occurs. The actual filtering is done by Django's +default error reporter filter: +:class:`django.views.debug.SafeExceptionReporterFilter`. This filter uses the +decorators' annotations to replace the corresponding values with stars +(`**********`) when the error reports are produced. If you wish to override or +customize this default behavior for your entire site, you need to define your +own filter class and tell Django to use it via the +:setting:`DEFAULT_EXCEPTION_REPORTER_FILTER` setting: + + .. code-block:: python + + DEFAULT_EXCEPTION_REPORTER_FILTER = 'path.to.your.CustomExceptionReporterFilter' + +You may also control in a more granular way which filter to use within any +given view by setting the ``HttpRequest``'s ``exception_reporter_filter`` +attribute: + + .. code-block:: python + + def my_view(request): + if request.user.is_authenticated(): + request.exception_reporter_filter = CustomExceptionReporterFilter() + ... + +Your custom filter class needs to inherit from +:class:`django.views.debug.SafeExceptionReporterFilter` and may override the +following methods: + +.. class:: django.views.debug.SafeExceptionReporterFilter + +.. method:: SafeExceptionReporterFilter.is_active(self, request) + + Returns ``True`` to activate the filtering operated in the other methods. + By default the filter is active if :setting:`DEBUG` is ``False``. + +.. method:: SafeExceptionReporterFilter.get_request_repr(self, request) + + Returns the representation string of the request object, that is, the + value that would be returned by ``repr(request)``, except it uses the + filtered dictionary of POST parameters as determined by + :meth:`SafeExceptionReporterFilter.get_post_parameters`. + +.. method:: SafeExceptionReporterFilter.get_post_parameters(self, request) + + Returns the filtered dictionary of POST parameters. By default it replaces + the values of sensitive parameters with stars (`**********`). + +.. method:: SafeExceptionReporterFilter.get_traceback_frame_variables(self, request, tb_frame) + + Returns the filtered dictionary of local variables for the given traceback + frame. By default it replaces the values of sensitive variables with stars + (`**********`). + +.. seealso:: + + You can also set up custom error reporting by writing a custom piece of + :ref:`exception middleware <exception-middleware>`. If you do write custom + error handling, it's a good idea to emulate Django's built-in error handling + and only report/log errors if :setting:`DEBUG` is ``False``. diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt index 72872d5b40..ff04e25b1d 100644 --- a/docs/ref/request-response.txt +++ b/docs/ref/request-response.txt @@ -23,6 +23,8 @@ HttpRequest objects .. class:: HttpRequest +.. _httprequest-attributes: + Attributes ---------- diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 816c3e92ff..e95c165a9a 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -772,6 +772,17 @@ Default content type to use for all ``HttpResponse`` objects, if a MIME type isn't manually specified. Used with :setting:`DEFAULT_CHARSET` to construct the ``Content-Type`` header. +.. setting:: DEFAULT_EXCEPTION_REPORTER_FILTER + +DEFAULT_EXCEPTION_REPORTER_FILTER +--------------------------------- + +Default: :class:`django.views.debug.SafeExceptionReporterFilter` + +Default exception reporter filter class to be used if none has been assigned to +the :class:`HttpRequest` instance yet. +See :ref:`Filtering error reports<filtering-error-reports>`. + .. setting:: DEFAULT_FILE_STORAGE DEFAULT_FILE_STORAGE diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt index 83ebaa738b..ddbcda9e60 100644 --- a/docs/releases/1.4.txt +++ b/docs/releases/1.4.txt @@ -116,6 +116,26 @@ help with AJAX heavy sites, protection for PUT and DELETE, and settings the security and usefulness of the CSRF protection. See the :doc:`CSRF docs </ref/contrib/csrf>` for more information. +Error report filtering +~~~~~~~~~~~~~~~~~~~~~~ + +Two new function decorators, :func:`sensitive_variables` and +:func:`sensitive_post_parameters`, were added to allow designating the +traceback frames' local variables and request's POST parameters susceptible +to contain sensitive information and that should be filtered out of error +reports. + +All POST parameters are now systematically filtered out of error reports for +certain :mod:`contrib.views.auth` views (``login``, ``password_reset_confirm``, +``password_change``, and ``add_view`` and ``user_change_password`` in the +``auth`` admin) to prevent the leaking of sensitive information such as user +passwords. + +You may override or customize the default filtering by writing a +:ref:`custom filter<custom-error-reports>`. Learn more on +:ref:`Filtering error reports<filtering-error-reports>`. + + .. _backwards-incompatible-changes-1.4: Backwards incompatible changes in 1.4 diff --git a/docs/topics/logging.txt b/docs/topics/logging.txt index 651a92ff34..e2c9f72ea6 100644 --- a/docs/topics/logging.txt +++ b/docs/topics/logging.txt @@ -504,6 +504,8 @@ Python logging module. sensitive, and you may not want to send it over email. Consider using something such as `django-sentry`_ to get the best of both worlds -- the rich information of full tracebacks plus the security of *not* sending the - information over email. + information over email. You may also explicitly designate certain + sensitive information to be filtered out of error reports -- learn more on + :ref:`Filtering error reports<filtering-error-reports>`. .. _django-sentry: http://pypi.python.org/pypi/django-sentry |
