[1.5.x] Fixed #19453 -- Ensured that the decorated function's arguments are obfuscated in the @sensitive_variables decorator's frame, in case the variables associated with those arguments were meant to be obfuscated from the decorated function's frame.

Thanks to vzima for the report. Backport of 9180146d21
2025-10-31 09:41:08 +00:00 · 2012-12-31 09:34:08 -08:00
parent fd1279a44d
commit dfd8623de4
5 changed files with 137 additions and 28 deletions
--- a/django/views/debug.py
+++ b/django/views/debug.py
@@ -172,13 +172,12 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter):
                break
            current_frame = current_frame.f_back

-        cleansed = []
+        cleansed = {}
        if self.is_active(request) and sensitive_variables:
            if sensitive_variables == '__ALL__':
                # Cleanse all variables
                for name, value in tb_frame.f_locals.items():
-                    cleansed.append((name, CLEANSED_SUBSTITUTE))
-                return cleansed
+                    cleansed[name] = CLEANSED_SUBSTITUTE
            else:
                # Cleanse specified variables
                for name, value in tb_frame.f_locals.items():
@@ -187,16 +186,25 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter):
                    elif isinstance(value, HttpRequest):
                        # Cleanse the request's POST parameters.
                        value = self.get_request_repr(value)
-                    cleansed.append((name, value))
-                return cleansed
+                    cleansed[name] = value
        else:
            # Potentially cleanse only the request if it's one of the frame variables.
            for name, value in tb_frame.f_locals.items():
                if isinstance(value, HttpRequest):
                    # Cleanse the request's POST parameters.
                    value = self.get_request_repr(value)
-                cleansed.append((name, value))
-            return cleansed
+                cleansed[name] = value
+
+        if (tb_frame.f_code.co_name == 'sensitive_variables_wrapper'
+            and 'sensitive_variables_wrapper' in tb_frame.f_locals):
+            # For good measure, obfuscate the decorated function's arguments in
+            # the sensitive_variables decorator's frame, in case the variables
+            # associated with those arguments were meant to be obfuscated from
+            # the decorated function's frame.
+            cleansed['func_args'] = CLEANSED_SUBSTITUTE
+            cleansed['func_kwargs'] = CLEANSED_SUBSTITUTE
+
+        return cleansed.items()

 class ExceptionReporter(object):
    """
--- a/django/views/decorators/debug.py
+++ b/django/views/decorators/debug.py
@@ -26,12 +26,12 @@ def sensitive_variables(*variables):
    """
    def decorator(func):
        @functools.wraps(func)
-        def sensitive_variables_wrapper(*args, **kwargs):
+        def sensitive_variables_wrapper(*func_args, **func_kwargs):
            if variables:
                sensitive_variables_wrapper.sensitive_variables = variables
            else:
                sensitive_variables_wrapper.sensitive_variables = '__ALL__'
-            return func(*args, **kwargs)
+            return func(*func_args, **func_kwargs)
        return sensitive_variables_wrapper
    return decorator