Opened 18 years ago

Closed 15 years ago

#135 defect closed fixed (fixed)

[PATCH]Web tracebacks should be disable-able

Reported by: itamarst Owned by: dp
Priority: high Milestone:
Component: web Keywords:
Cc: Branch:
Author:

Description


Attachments (5)

utils.py.patch (530 bytes) - added by rich 18 years ago.
view.py.patch (2.2 KB) - added by rich 18 years ago.
server.py.patch (481 bytes) - added by rich 18 years ago.
web.py (972 bytes) - added by rich 18 years ago.
server.py.2.patch (1.5 KB) - added by rich 18 years ago.

Download all attachments as: .zip

Change History (17)

comment:1 Changed 18 years ago by itamarst

Showing the source and locals etc. is a security risk (e.g.
it will display the RPY where you store your database
usernamenpasword config, etc..)

Thus, it should be off by default. I recommend a ".debug =
False" attribute on Site that can be set to True.

comment:2 Changed 18 years ago by Glyph

Nope, this should be turned on by default, since when you
are using defaults you are typically developing.  System
administrators can make this a site-local default by adding
to sitecustomize.py or somesuch.

comment:3 Changed 18 years ago by Glyph

We have agreed that users must be able to disable web
tracebacks, regardless of what the default behavior should
be.  We can argue about that later.  Who wants to volunteer
to fix this? :)

comment:4 Changed 18 years ago by Glyph

looks like you are the "volunteer", lv

comment:5 Changed 18 years ago by LordVan

/me ? ;)

comment:6 Changed 18 years ago by syver

I need a quick fix for this behaviour, where in the source 
should one go to put the if on the debug flag.

Changed 18 years ago by rich

Attachment: utils.py.patch added

Changed 18 years ago by rich

Attachment: view.py.patch added

Changed 18 years ago by rich

Attachment: server.py.patch added

comment:7 Changed 18 years ago by rich

I've attached three patches that address this. First is a patch to 
server.Site to add a displayTraceback attribute. This defaults to True.

Second is the patch to view.View. This checks the site's displayTraceback 
attribute in renderFailure. If it's false it writes self.genericFailure which 
can be overriden in a subclass.

The last patch is to utils.renderFailure to make it continue to log the 
tracebacks but skip the request.write based on the flag in site.

Changed 18 years ago by rich

Attachment: web.py added

comment:8 Changed 18 years ago by rich

For the sake of completeness I've added a fourth patch. This adds an 
option to twisted.tap.web to toggle displaying tracebacks from mktap.

Changed 18 years ago by rich

Attachment: server.py.2.patch added

comment:9 Changed 18 years ago by rich

new patch for server.py that handles twisted.web as well as woven

comment:10 Changed 18 years ago by itamarst

To remind me to look at this.

comment:11 Changed 17 years ago by itamarst

Donovan, could you go about applying patches / fixes to woven and nevow for
this? I applied the applicable patches to twisted.web.

(it's utils.py and view.py).

I changed the attribute name to displayTracebacks.

comment:12 Changed 15 years ago by Stephen Thorne

Cc: Glyph radix spiv itamarst LordVan Jonathan Lange dp phed syver removed
Resolution: fixed
Status: newclosed

Fixed a long time ago.

Note: See TracTickets for help on using tickets.