From 0fb8a7b1c8cdec4268edf0b71438a0ce192205e6 Mon Sep 17 00:00:00 2001 From: Piotr Mitros Date: Fri, 20 Jul 2012 16:38:45 -0400 Subject: [PATCH] Middleware password fix. Needs Cale's cleanup --- common/djangoapps/track/middleware.py | 28 +++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/common/djangoapps/track/middleware.py b/common/djangoapps/track/middleware.py index 6905ae86f3..3beabeb690 100644 --- a/common/djangoapps/track/middleware.py +++ b/common/djangoapps/track/middleware.py @@ -12,8 +12,32 @@ class TrackMiddleware: if request.META['PATH_INFO'] in ['/event', '/login']: return - event = { 'GET' : dict(request.GET), - 'POST' : dict(request.POST)} + # Removes passwords from the tracking logs + # WARNING: This list needs to be changed whenever we change + # password handling functionality. + # + # As of the time of this comment, only 'password' is used + # The rest are there for future extension. + # + # Passwords should never be sent as GET requests, but + # this can happen due to older browser bugs. We censor + # this too. + # + # We should manually confirm no passwords make it into log + # files when we change this. + + censored_strings = ['password', 'newpassword', 'new_password', + 'oldpassword', 'old_password'] + post_dict = dict(request.POST) + get_dict = dict(request.GET) + for string in censored_strings: + if string in post_dict: + post_dict[string] = '*'*8 + if string in get_dict: + get_dict[string] = '*'*8 + + event = { 'GET' : dict(get_dict), + 'POST' : dict(post_dict)} # TODO: Confirm no large file uploads event = json.dumps(event)