From 5462c3564f48d2368be4d5bd69721cc7e1fb0748 Mon Sep 17 00:00:00 2001
From: Matthias Kestenholz <mk@feinheit.ch>
Date: Wed, 8 Dec 2021 17:22:21 +0100
Subject: [PATCH] Discourage insecure SHOW_TOOLBAR_CALLBACK values

A leaked SECRET_KEY combined with an insecure SHOW_TOOLBAR_CALLBACK
configuration may lead to remote execution of arbitrary SQL.

The toolbar shouldn't be installed in production environments anyway.
---
 docs/configuration.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 084480dde..87b68b77f 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -134,7 +134,10 @@ Toolbar options
 
      Please note that the debug toolbar isn't hardened for use in production
      environments or on public servers. You should be aware of the implications
-     to the security of your servers when using your own callback.
+     to the security of your servers when using your own callback. One known
+     implication is that it is possible to execute arbitrary SQL through the
+     SQL panel when the ``SECRET_KEY`` value is leaked somehow.
+
 
 Panel options
 ~~~~~~~~~~~~~