Merge pull request from GHSA-58c7-px5v-82hh

Security: fix CVE-2021-21416.

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2007-2020, James Bennett
+Copyright (c) 2007-2021, James Bennett
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

docs/conf.py

@@ -8,9 +8,9 @@
 source_suffix = ".rst"
 master_doc = "index"
 project = "django-registration"
-copyright = "2007-2020, James Bennett"
+copyright = "2007-2021, James Bennett"
 version = "3.1"
-release = "3.1.1"
+release = "3.1.2"
 exclude_trees = ["_build"]
 pygments_style = "sphinx"
 htmlhelp_basename = "django-registrationdoc"

docs/upgrade.rst

@@ -16,7 +16,29 @@ Within the 3.x release series, there have been several minor changes
 and improvements, documented here along with the version in which they
 occurred.
 
-django-registration 3.1
+django-registration 3.1.2
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This release fixes a security issue with low severity.
+
+Prior to 3.1.2, django-registration did not apply Django's
+:func:`~django.views.decorators.debug.sensitive_post_parameters`
+decorator to the base
+:class:`~django_registration.views.RegistrationView`. This meant that
+if detailed error reports, such as `Django's error reports emailed to
+site staff
+<https://docs.djangoproject.com/en/3.1/howto/error-reporting/#email-reports>`_,
+were enabled, and a server-side error occurred during account
+registration, the generated error report would include all fields
+submitted in the HTTP request, some of which are potentially sensitive
+depending on the user-account model and registration workflow in use.
+
+This issue is CVE-2021-21416 and GitHub security advisory
+GHSA-58c7-px5v-82hh.
+
+Thanks to Martin Morgenstern for reporting this issue.
+
+Django-registration 3.1
 ~~~~~~~~~~~~~~~~~~~~~~~
 
 * When an attempt was made to use django-registration with a custom

setup.py

@@ -2,11 +2,10 @@
 
 from setuptools import find_packages, setup
 
-
 setup(
     name="django-registration",
     zip_safe=False,  # eggs are the devil.
-    version="3.1.1",
+    version="3.1.2",
     description="An extensible user-registration application for Django",
     long_description=open(os.path.join(os.path.dirname(__file__), "README.rst")).read(),
     author="James Bennett",

src/django_registration/views.py

@@ -7,7 +7,9 @@
 from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpResponseRedirect
 from django.urls import reverse_lazy
+from django.utils.decorators import method_decorator
 from django.utils.encoding import force_str
+from django.views.decorators.debug import sensitive_post_parameters
 from django.views.generic.base import TemplateView
 from django.views.generic.edit import FormView
 
@@ -40,6 +42,7 @@ class RegistrationView(FormView):
     success_url = None
     template_name = "django_registration/registration_form.html"
 
+    @method_decorator(sensitive_post_parameters())
     def dispatch(self, *args, **kwargs):
         """
         Check that user signup is allowed before even bothering to

tests/test_views.py

@@ -3,10 +3,14 @@
 
 """
 
+import logging
+import sys
+
 from django.contrib.auth import get_user_model
-from django.core import signing
+from django.contrib.auth.models import AnonymousUser
+from django.core import mail, signing
 from django.core.exceptions import ImproperlyConfigured
-from django.test import override_settings
+from django.test import RequestFactory, override_settings
 from django.urls import reverse
 
 from django_registration import forms
@@ -86,3 +90,69 @@ def test_user_mismatch_breaks_view(self):
                 )
                 with self.assertRaisesMessage(ImproperlyConfigured, message):
                     view.get_form()
+
+
+class RegistrationError(Exception):
+    """
+    Distinct exception class to simulate an unhandled error in the below
+    tests.
+
+    """
+
+
+class BuggyRegistrationView(base_views.RegistrationView):
+    """
+    Registration view that simulates an unhandled exception.
+
+    """
+
+    def registration_allowed(self):
+        raise RegistrationError("catch me if you can")
+
+
+buggy_view = BuggyRegistrationView.as_view()
+
+
+@override_settings(ADMINS=[("Admin", "admin@localhost")])
+class SensitiveParameterFilterTests(RegistrationTestCase):
+    """
+    Test filtering of sensitive POST parameters in error reports for the
+    registration view.
+
+    """
+
+    logger = logging.getLogger("django")
+    factory = RequestFactory()
+
+    def test_sensitive_post_parameters_are_filtered(self):
+        """
+        When an unexpected exception occurs during a POST request to the
+        registration view, the default email report to ADMINS must not
+        contain the submitted passwords.
+
+        """
+        request = self.factory.post("/raise/", data=self.valid_data)
+        request.user = AnonymousUser()
+        # we cannot use self.assertRaises(...) here because of sys.exc_info()
+        try:
+            buggy_view(request)
+            self.fail("expected exception not thrown")
+        except RegistrationError as error:
+            self.assertEqual(str(error), "catch me if you can")
+            # based on code in Django (tests/view_tests/views.py)
+            self.logger.error(
+                "Internal Server Error: %s" % request.path,
+                exc_info=sys.exc_info(),
+                extra={"status_code": 500, "request": request},
+            )
+        self.assertEqual(len(mail.outbox), 1)
+        email = mail.outbox[0]
+        self.assertIn("RegistrationError at /raise/", email.body)
+        self.assertIn("catch me if you can", email.body)
+        self.assertIn("No GET data", email.body)
+        self.assertNotIn("No POST data", email.body)
+        self.assertIn("password1", email.body)
+        self.assertIn("password2", email.body)
+        self.assertNotIn(self.valid_data["password1"], email.body)
+        self.assertNotIn(self.valid_data["password2"], email.body)
+        self.assertNotIn(self.valid_data["email"], email.body)