Friday, September 25, 2015

[Off list] NOOB exposes CSRF token. Now what?

Gordon

As others have said, you need to keep such stuff out of your repo.

For that I wrote a little file parser called getcreds.py (see below) to
read plain text files and retrieve the necessary info for settings.

eg., from my settings.py ...

# keep all credentials in separate fname files in credsdir
from .getcreds import getcreds
email_creds = getcreds('smtp.host', PROJECT)
EMAIL_HOST = email_creds[0]
EMAIL_PORT = email_creds[1]
EMAIL_HOST_USER = email_creds[2]
EMAIL_HOST_PASSWORD = email_creds[3]

SECRET_KEY = getcreds('django.secret', PROJECT)[0]

dbhost = getcreds('db.host', PROJECT)
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': PROJECT,
'USER': dbhost[0],
'PASSWORD': dbhost[1],
'HOST': dbhost[2],
'PORT': dbhost[3],
}
}

This is off-list because it isn't widely used. I don't wish to pollute
the wider nob community with such heresy. It works nicely for me but
best-practice (I'm told) is to store such things in environment vars and
get them from there when required. I'd drop my approach and do that if I
had time.

Cheers

Mike

<below>
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
# this is the only django import permitted in settings files
from django.core.exceptions import ImproperlyConfigured


def getcreds(fname, project, credsroot='/var/www/creds'):
""" return a list of userid and password and perhaps other data """
credsdir = '%s/%s' % (credsroot, project)
creds = []
fname = '%s/%s' % (credsdir, fname)
with open(fname, 'r') as f:
for line in f:
creds.append(line.strip())
if not creds:
raise ImproperlyConfigured('Missing setting: %s' % fname)
return creds


On 25/09/2015 4:03 PM, Gordon Reeder wrote:
> I'm learning Django and still very new at it. And like a newbie, I may
> have made a newbie goof.
> I have leaked my CSRF token.
> I am building up a web site with Django which I have under revision
> control with Git. I have pushed two commits of the project out to
> Github. The commits included the settings.py file, which list the CSRF
> token. I have read (after the fact) that maybe that wasn't the smartest
> thing to do.
>
> So now what?
>
> Can I remove the settings.py file from Github?
> Or can I generate a new CSRF token?
>
> Any suggestions?
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users+unsubscribe@googlegroups.com
> <mailto:django-users+unsubscribe@googlegroups.com>.
> To post to this group, send email to django-users@googlegroups.com
> <mailto:django-users@googlegroups.com>.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/9faaf7ad-29af-473d-8e63-e1c51b4b90d0%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/9faaf7ad-29af-473d-8e63-e1c51b4b90d0%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/560541E6.2090603%40dewhirst.com.au.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment