Skip to content

Commit

Permalink
Discourage insecure SHOW_TOOLBAR_CALLBACK values
Browse files Browse the repository at this point in the history 
A leaked SECRET_KEY combined with an insecure SHOW_TOOLBAR_CALLBACK
configuration may lead to remote execution of arbitrary SQL.

The toolbar shouldn't be installed in production environments anyway.
  • Loading branch information
@matthiask @tim-schilling
matthiask authored and tim-schilling committed Dec 8, 2021
1 parent ab213ef commit ffa60c2
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion docs/configuration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,10 @@ Toolbar options

Please note that the debug toolbar isn't hardened for use in production
environments or on public servers. You should be aware of the implications
to the security of your servers when using your own callback.
to the security of your servers when using your own callback. One known
implication is that it is possible to execute arbitrary SQL through the
SQL panel when the ``SECRET_KEY`` value is leaked somehow.


Panel options
~~~~~~~~~~~~~
Expand Down

0 comments on commit ffa60c2

Please sign in to comment.