Leaking sensitive passwords in error emails

[ericmillsio]

I believe this is leaking the user's password when a user fails to validate while logging in. On my system, I am getting their password in raw text via error emails. I think that this should be using Django's sensitive_variables decorator in the LoginView.

Thoughts?

[Akay7]

@crearc I believe you get that information, because realize error emails in your system in little bit wrong way.

[ericmillsio]

Sorry, I'm not sure what you're saying?

[Akay7]

@crearc trouble in your code, not inside that application

[ericmillsio]

I have no code/interaction to affect the way rest_auth works at this endpoint so I'm not sure how that would be the case.

I get a ValidationError: {'code': 400, u'non_field_errors': [<django.utils.functional.__proxy__ object at 0x7f207654dc50>], 'url': 'POST mydomain.com/login/', 'u': 'AnonymousUser'} on attempted login and the user's password is exposed in the traceback's local vars of Django's default email system.

This is what the traceback looks like in the email (sorry it's ugly, see towards the end of it):

Traceback

/app/.heroku/python/lib/python2.7/site-packages/rest_framework/views.py in dispatch
            response = handler(request, *args, **kwargs)
Local Vars

Variable    Value
kwargs  
{}
handler 
<bound method LoginView.post of <rest_auth.views.LoginView object at 0x7f207654d8d0>>
exc 
ValidationError()
self    
<rest_auth.views.LoginView object at 0x7f207654d8d0>
args    
()
request 
<rest_framework.request.Request object at 0x7f207654d3d0>
/app/.heroku/python/lib/python2.7/site-packages/rest_auth/views.py in post
        self.serializer.is_valid(raise_exception=True)
Local Vars

Variable    Value
request 
<rest_framework.request.Request object at 0x7f207654d3d0>
kwargs  
{}
args    
()
self    
<rest_auth.views.LoginView object at 0x7f207654d8d0>
/app/.heroku/python/lib/python2.7/site-packages/rest_framework/serializers.py in is_valid
            raise ValidationError(self.errors)
Local Vars

Variable    Value
self    
LoginSerializer(context={u'request': <rest_framework.request.Request object>, u'format': None, u'view': <rest_auth.views.LoginView object>}, data={u'email': u'THE USERS EMAIL', u'password': u'THE USERS SENSITIVE PASSWORD'}):
    username = CharField(allow_blank=True, required=False)
    email = EmailField(allow_blank=True, required=False)
    password = CharField(style={'input_type': 'password'})
raise_exception 
True
exc 
ValidationError()

[Akay7]

@crearc would you like get email every time when any user can't enter correct password at your web-site, but you preferred get *** instead not correct password?

[ericmillsio]

I've already filtered out emails for being unable to login, and I'm not actually sure what the validation error technically was for the above, but regardless of how someone handles their logging when using rest-auth, it should never be sending plain text passwords over error emails. This is exactly what sensitive_variables is for.

[ericmillsio]

(In reference to the weird Validation error, I think it's fixed in encode/django-rest-framework#3908 but won't be released until 3.4, but my point still exists)

[maxim-kht]

Thank you! Added sensitive_post_parameters decorator in version 0.9.1