[Twisted-Python] Re: [Twisted-commits] log stderr and non-zero exit code in CGIs, don't show info to users as it is a security risk (closes issue #241)
Glyph Lefkowitz
glyph at twistedmatrix.com
Thu Aug 28 20:16:09 EDT 2003
On Thursday, August 28, 2003, at 10:32 AM, itamarst CVS wrote:
> log stderr and non-zero exit code in CGIs, don't show info to users as
> it is a security risk (closes issue #241)
We shouldn't swallow errors in these situations. If it's a security
risk, provide a way for the server administrator to turn it off, but
this is a _bad_ default.
If you doubt the wisdom of making this default, please consult any
number of Perl FAQs of the form:
Q. "I wrote a CGI and it works perfectly, but now I moved it to
another server and I get nothing but a "500 Internal Server Error"
page. How do I tell what went wrong!?!?!?"
A. Look in your apache logs.
---
Q. "I looked at my apache logs and nothing makes sense! How do I tell
what the error was??!"
A. ...
Also, could you clarify the security risk of displaying stderr from CGI
scripts? I've never heard of a CGI that puts security-critical
information on stderr rather than stdout and makes it a risk to display
to users.
More information about the Twisted-Python
mailing list