Commit 40c548c9 authored by Stratos Psomadakis's avatar Stratos Psomadakis
Browse files

Replace regexp in cleanse middleware

Replace the regexp in mail_admins_safe() with manual parsing of the message.
parent cf54ccae
......@@ -39,27 +39,64 @@ from django.views import debug
import re
HIDDEN_ALL = settings.HIDDEN_COOKIES + settings.HIDDEN_HEADERS
def mail_admins_safe(subject, message, fail_silently=False, connection=None):
'''
Wrapper function to cleanse email body from sensitive content before
sending it
'''
new_msg = ""
if len(message) > settings.MAIL_MAX_LEN:
new_msg += "Mail size over limit (truncated)\n\n"
message = message[:settings.MAIL_MAX_LEN]
for line in message.splitlines():
# Lines of interest in the mail are in the form of
# key:value.
try:
(key, value) = line.split(':', 1)
except ValueError:
new_msg += line + '\n'
continue
new_msg += key + ':'
# Special case when the first header / cookie printed
# (prefixed by 'META:{' or 'COOKIES:{') needs to be hidden.
if value.startswith('{'):
try:
(newkey, newval) = value.split(':', 1)
except ValueError:
new_msg += value + '\n'
continue
HIDDEN_ALL = settings.HIDDEN_SETTINGS + "|" + settings.HIDDEN_COOKIES
message = re.sub("((\S+)?(%s)(\S+)?(:|\=)( )?)('|\"?)\S+('|\"?)"
% HIDDEN_ALL, r"\1*******", message)
new_msg += newkey + ':'
key = newkey.lstrip('{')
value = newval
return mail.mail_admins_plain(subject, message, fail_silently, connection)
if key.strip(" '") not in HIDDEN_ALL:
new_msg += value + '\n'
continue
# Append value[-1] to the clensed string, so that commas / closing
# brackets are printed correctly.
# (it will 'eat up' the closing bracket if the header is the last one
# printed)
new_msg += ' ' + '*'*8 + value[-1] + '\n'
return mail.mail_admins_plain(subject, new_msg, fail_silently, connection)
class CleanseSettingsMiddleware(object):
'''
Prevent django from printing sensitive information (paswords, tokens
etc), when handling server errors (for both DEBUG and no-DEBUG
deployments.
'''
def __init__(self):
'''
Prevent django from printing sensitive information (paswords, tokens
etc), when handling server errors (for both DEBUG and no-DEBUG
deployments.
'''
debug.HIDDEN_SETTINGS = re.compile(settings.HIDDEN_SETTINGS)
if not hasattr(mail, 'mail_admins_plain'):
......
......@@ -17,9 +17,14 @@
## sets this header is in use.
#USE_X_FORWARDED_HOST = True
#
## Settings / cookies that should be 'cleansed'
#HIDDEN_SETTINGS = 'SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE|AMQP_HOSTS|PRIVATE_KEY|DB_CONNECTION'
#HIDDEN_COOKIES = 'password|_pithos2_a|token|sessionid|shibstate|shibsession|CSRF_COOKIE'
## Settings / Cookies / Headers that should be 'cleansed'
#HIDDEN_SETTINGS = 'SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE|AMQP_HOSTS|'\
# 'PRIVATE_KEY|DB_CONNECTION|TOKEN'
#HIDDEN_COOKIES = ['password', '_pithos2_a', 'token', 'sessionid', 'shibstate',
# 'shibsession', 'CSRF_COOKIE']
#HIDDEN_HEADERS = ['HTTP_X_AUTH_TOKEN', 'HTTP_COOKIE']
## Mail size limit for unhandled exception
#MAIL_MAX_LEN = 100 * 1024 # (100KB)
#
## Set the url you want to redirect users to when they access the root path of
## your site.
......
......@@ -17,10 +17,14 @@ SECRET_KEY = 'ly6)mw6a7x%n)-e#zzk4jo6f2=uqu!1o%)2-(7lo+f9yd^k^bg'
# sets this header is in use.
USE_X_FORWARDED_HOST = True
# Settings / cookies that should be 'cleansed'
HIDDEN_SETTINGS = 'SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE|AMQP_HOSTS|PRIVATE_KEY|DB_CONNECTION'
HIDDEN_COOKIES = 'password|_pithos2_a|token|sessionid|shibstate|shibsession|CSRF_COOKIE'
# Settings / Cookies / Headers that should be 'cleansed'
HIDDEN_SETTINGS = 'SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE|AMQP_HOSTS|'\
'PRIVATE_KEY|DB_CONNECTION|TOKEN'
HIDDEN_COOKIES = ['password', '_pithos2_a', 'token', 'sessionid', 'shibstate',
'shibsession', 'CSRF_COOKIE']
HIDDEN_HEADERS = ['HTTP_X_AUTH_TOKEN', 'HTTP_COOKIE']
# Mail size limit for unhandled exception
MAIL_MAX_LEN = 100 * 1024 # (100KB)
#When set to True, if the request URL does not match any of the patterns in the
#URLconf and it doesn't end in a slash, an HTTP redirect is issued to the same
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment