-
-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request body sanitization #305
Comments
The fact credentials are stored as plain text should be highlighted in readme in the first lines. |
@avelis Do you have plans to address this issue? |
@nyanev I personally don't have time to do it. Is it ready to close? |
@auvipy Why was this closed? |
As there are links to potential fixes. It would be great if anyone could install the master branch in a local setting and check this is still not fixed, then could be reopened again |
Can this please be reopened unless a fix has already been applied? |
I second this. (x1000) Until this is fixed, it should be well-advertised. There is no benefit in closing this issue before fixing it. For inspiration, see this story and then this story. Logging sensitive data is a real problem. |
Looks like #322 contains a fix for this, which was released in https://github.com/jazzband/django-silk/releases/tag/3.0.2. Therefore installing a fix is definitely possible. Exactly how we ensure people know about this fix is a different story. I'll work on that one. |
Since this issue seems to be resolved, I think you could remove the security note from the main README.md? That's at least misleading people to think they might better not to use django-silk at all. |
Request bodies are stored as plain text in the database. This is great for debugging, but not so useful in terms of security, as passwords are technically stored in the database as plain text.
Django supports cleaning credentials using https://github.com/django/django/blob/b9cf764be62e77b4777b3a75ec256f6209a57671/django/contrib/auth/__init__.py#L41. An implementation using this would be good.
The text was updated successfully, but these errors were encountered: