From dfd8623de4e225e33c334086ff4e2ccdfb07247f Mon Sep 17 00:00:00 2001 From: Julien Phalip Date: Mon, 31 Dec 2012 09:34:08 -0800 Subject: [1.5.x] Fixed #19453 -- Ensured that the decorated function's arguments are obfuscated in the @sensitive_variables decorator's frame, in case the variables associated with those arguments were meant to be obfuscated from the decorated function's frame. Thanks to vzima for the report. Backport of 9180146d21cf2a31eec --- django/views/debug.py | 22 +++++++++++++++------- django/views/decorators/debug.py | 4 ++-- 2 files changed, 17 insertions(+), 9 deletions(-) (limited to 'django/views') diff --git a/django/views/debug.py b/django/views/debug.py index aaa7e40efe..e5f4c70191 100644 --- a/django/views/debug.py +++ b/django/views/debug.py @@ -172,13 +172,12 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter): break current_frame = current_frame.f_back - cleansed = [] + cleansed = {} if self.is_active(request) and sensitive_variables: if sensitive_variables == '__ALL__': # Cleanse all variables for name, value in tb_frame.f_locals.items(): - cleansed.append((name, CLEANSED_SUBSTITUTE)) - return cleansed + cleansed[name] = CLEANSED_SUBSTITUTE else: # Cleanse specified variables for name, value in tb_frame.f_locals.items(): @@ -187,16 +186,25 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter): elif isinstance(value, HttpRequest): # Cleanse the request's POST parameters. value = self.get_request_repr(value) - cleansed.append((name, value)) - return cleansed + cleansed[name] = value else: # Potentially cleanse only the request if it's one of the frame variables. for name, value in tb_frame.f_locals.items(): if isinstance(value, HttpRequest): # Cleanse the request's POST parameters. value = self.get_request_repr(value) - cleansed.append((name, value)) - return cleansed + cleansed[name] = value + + if (tb_frame.f_code.co_name == 'sensitive_variables_wrapper' + and 'sensitive_variables_wrapper' in tb_frame.f_locals): + # For good measure, obfuscate the decorated function's arguments in + # the sensitive_variables decorator's frame, in case the variables + # associated with those arguments were meant to be obfuscated from + # the decorated function's frame. + cleansed['func_args'] = CLEANSED_SUBSTITUTE + cleansed['func_kwargs'] = CLEANSED_SUBSTITUTE + + return cleansed.items() class ExceptionReporter(object): """ diff --git a/django/views/decorators/debug.py b/django/views/decorators/debug.py index 5c222963d3..78ae6b1442 100644 --- a/django/views/decorators/debug.py +++ b/django/views/decorators/debug.py @@ -26,12 +26,12 @@ def sensitive_variables(*variables): """ def decorator(func): @functools.wraps(func) - def sensitive_variables_wrapper(*args, **kwargs): + def sensitive_variables_wrapper(*func_args, **func_kwargs): if variables: sensitive_variables_wrapper.sensitive_variables = variables else: sensitive_variables_wrapper.sensitive_variables = '__ALL__' - return func(*args, **kwargs) + return func(*func_args, **func_kwargs) return sensitive_variables_wrapper return decorator -- cgit v1.3