Request body sanitization #305
Comments
|
The fact credentials are stored as plain text should be highlighted in readme in the first lines. |
|
@avelis Do you have plans to address this issue? |
|
@nyanev I personally don't have time to do it. Is it ready to close? |
|
@auvipy Why was this closed? |
|
As there are links to potential fixes. It would be great if anyone could install the master branch in a local setting and check this is still not fixed, then could be reopened again |
|
Can this please be reopened unless a fix has already been applied? |
|
I second this. (x1000) Until this is fixed, it should be well-advertised. There is no benefit in closing this issue before fixing it. For inspiration, see this story and then this story. Logging sensitive data is a real problem. |
|
Looks like #322 contains a fix for this, which was released in https://github.com/jazzband/django-silk/releases/tag/3.0.2. Therefore installing a fix is definitely possible. Exactly how we ensure people know about this fix is a different story. I'll work on that one. |
|
Since this issue seems to be resolved, I think you could remove the security note from the main README.md? That's at least misleading people to think they might better not to use django-silk at all. |
Request bodies are stored as plain text in the database. This is great for debugging, but not so useful in terms of security, as passwords are technically stored in the database as plain text.
Django supports cleaning credentials using https://github.com/django/django/blob/b9cf764be62e77b4777b3a75ec256f6209a57671/django/contrib/auth/__init__.py#L41. An implementation using this would be good.
The text was updated successfully, but these errors were encountered: