[Twisted-Python] Re: [Twisted-commits] log stderr and non-zero exit code in CGIs, don't show info to users as it is a security risk (closes issue #241)

Glyph Lefkowitz glyph at twistedmatrix.com
Thu Aug 28 18:16:09 MDT 2003


On Thursday, August 28, 2003, at 10:32 AM, itamarst CVS wrote:

> log stderr and non-zero exit code in CGIs, don't show info to users as 
> it is a security risk (closes issue #241)

We shouldn't swallow errors in these situations.  If it's a security 
risk, provide a way for the server administrator to turn it off, but 
this is a _bad_ default.

If you doubt the wisdom of making this default, please consult any 
number of Perl FAQs of the form:

	Q. "I wrote a CGI and it works perfectly, but now I moved it to 
another server and I get nothing but a "500 Internal Server Error" 
page.  How do I tell what went wrong!?!?!?"

	A. Look in your apache logs.

	---

	Q. "I looked at my apache logs and nothing makes sense!  How do I tell 
what the error was??!"

	A. ...

Also, could you clarify the security risk of displaying stderr from CGI 
scripts?  I've never heard of a CGI that puts security-critical 
information on stderr rather than stdout and makes it a risk to display 
to users.





More information about the Twisted-Python mailing list