From ec5e2f0ccc1d1d5e6a744e2be77deae68c66fcf8 Mon Sep 17 00:00:00 2001 From: Jannis Leidel Date: Thu, 9 Feb 2012 18:58:45 +0000 Subject: Fixed #17460 -- Extended the HIDDEN_SETTINGS constant in with a few more sensible names of settings to hide in the debug view. Many thanks to chomik, lpiatek and tomaszrybak. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17481 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/ref/settings.txt | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'docs/ref') diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index d8260b0fa2..c394c34045 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -756,15 +756,24 @@ Default: ``False`` A boolean that turns on/off debug mode. -If you define custom settings, `django/views/debug.py`_ has a ``HIDDEN_SETTINGS`` -regular expression which will hide from the DEBUG view anything that contains -``'SECRET'``, ``'PASSWORD'``, ``'PROFANITIES'``, or ``'SIGNATURE'``. This allows -untrusted users to be able to give backtraces without seeing sensitive (or -offensive) settings. - -Still, note that there are always going to be sections of your debug output that -are inappropriate for public consumption. File paths, configuration options, and -the like all give attackers extra information about your server. +If you define custom settings, `django/views/debug.py`_ has a +``HIDDEN_SETTINGS`` regular expression which will hide from the DEBUG view +anything that contains ``'API'``, ``'TOKEN'``, ``'KEY'``, ``'SECRET'``, +``'PASS'``, ``'PROFANITIES_LIST'``, or ``'SIGNATURE'``. This allows untrusted +users to be able to give backtraces without seeing sensitive (or offensive) +settings. + +.. versionchanged:: 1.4 + + ``'PASSWORD'`` changed to ``'PASS'``. ``'API'``, ``'TOKEN'``, ``'KEY'`` + were added. + +Note that due to how regular expression matching works ``'PASS'`` will also +match PASSWORD, just as ``'TOKEN'`` will also match TOKENIZED and so on. + +Still, note that there are always going to be sections of your debug output +that are inappropriate for public consumption. File paths, configuration +options, and the like all give attackers extra information about your server. It is also important to remember that when running with :setting:`DEBUG` turned on, Django will remember every SQL query it executes. This is useful -- cgit v1.3