4811: passwords sent in clear-text if login page throws an exception


What version are you running?


What's the URL of the page containing the problem?


What steps will reproduce the problem?

  1. Remove the FQDN from ALLOW_HOSTS
  2. Restart apache
  3. Login

What is the expected output? What do you see instead?

For the emailed traceback to remove/redact the password

What operating system are you using? What browser?

not relevant

Please provide any additional information below.

Traceback (most recent call last):

File "/usr/local/lib/python2.7/dist-packages/Django-1.6.11-py2.7.egg/django/core/handlers/base.py", line 180, in get_response
response = callback(request, **param_dict)

File "/usr/local/lib/python2.7/dist-packages/Django-1.6.11-py2.7.egg/django/utils/decorators.py", line 95, in _wrapped_view
result = middleware.process_view(request, view_func, args, kwargs)

File "/usr/local/lib/python2.7/dist-packages/Django-1.6.11-py2.7.egg/django/middleware/csrf.py", line 156, in process_view
good_referer = 'https://%s/' % request.get_host()

File "/usr/local/lib/python2.7/dist-packages/Django-1.6.11-py2.7.egg/django/http/request.py", line 75, in get_host
raise DisallowedHost(msg)

DisallowedHost: Invalid HTTP_HOST header: 'reviewboard-upgrade.sonos.com'.You may need to add u'reviewboard-upgrade.sonos.com' to ALLOWED_HOSTS.

GET:<QueryDict: {}>,
POST:<QueryDict: {u'username': [u'MY USERNAME'], u'csrfmiddlewaretoken': [u'AXfbdwZaxGdfzVfe5HPcVq5gl0Ycs8r0'], u'password': [u'!!!!!MY PASSWORD!!!!!'], u'next': [u'']}>,

#1 david

Unfortunately there's not really anything we can do about this. Those e-mails are created by the Django framework.

  • -New