From dfd8623de4e225e33c334086ff4e2ccdfb07247f Mon Sep 17 00:00:00 2001 From: Julien Phalip Date: Mon, 31 Dec 2012 09:34:08 -0800 Subject: [1.5.x] Fixed #19453 -- Ensured that the decorated function's arguments are obfuscated in the @sensitive_variables decorator's frame, in case the variables associated with those arguments were meant to be obfuscated from the decorated function's frame. Thanks to vzima for the report. Backport of 9180146d21cf2a31eec --- django/views/debug.py | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) (limited to 'django/views/debug.py') diff --git a/django/views/debug.py b/django/views/debug.py index aaa7e40efe..e5f4c70191 100644 --- a/django/views/debug.py +++ b/django/views/debug.py @@ -172,13 +172,12 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter): break current_frame = current_frame.f_back - cleansed = [] + cleansed = {} if self.is_active(request) and sensitive_variables: if sensitive_variables == '__ALL__': # Cleanse all variables for name, value in tb_frame.f_locals.items(): - cleansed.append((name, CLEANSED_SUBSTITUTE)) - return cleansed + cleansed[name] = CLEANSED_SUBSTITUTE else: # Cleanse specified variables for name, value in tb_frame.f_locals.items(): @@ -187,16 +186,25 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter): elif isinstance(value, HttpRequest): # Cleanse the request's POST parameters. value = self.get_request_repr(value) - cleansed.append((name, value)) - return cleansed + cleansed[name] = value else: # Potentially cleanse only the request if it's one of the frame variables. for name, value in tb_frame.f_locals.items(): if isinstance(value, HttpRequest): # Cleanse the request's POST parameters. value = self.get_request_repr(value) - cleansed.append((name, value)) - return cleansed + cleansed[name] = value + + if (tb_frame.f_code.co_name == 'sensitive_variables_wrapper' + and 'sensitive_variables_wrapper' in tb_frame.f_locals): + # For good measure, obfuscate the decorated function's arguments in + # the sensitive_variables decorator's frame, in case the variables + # associated with those arguments were meant to be obfuscated from + # the decorated function's frame. + cleansed['func_args'] = CLEANSED_SUBSTITUTE + cleansed['func_kwargs'] = CLEANSED_SUBSTITUTE + + return cleansed.items() class ExceptionReporter(object): """ -- cgit v1.3