Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #10841 -- Switched response served when DEBUG=True and request.…

…is_ajax() returns True (indicating request has been generated by a JS library) to a plain text version for easier debugging.

Contents of this response are similar to its HTML counterpart modulo frame variables values in the Python traceback section.

Thanks to Riz for the report, to SmileyChris for the patch and to Julien for reviewing.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16921 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 0d9b6a5bc43c06716212bd3f847460ce985381aa 1 parent 28ee7a9
Ramiro Morales authored October 02, 2011
90  django/views/debug.py
@@ -59,8 +59,12 @@ def technical_500_response(request, exc_type, exc_value, tb):
59 59
     the values returned from sys.exc_info() and friends.
60 60
     """
61 61
     reporter = ExceptionReporter(request, exc_type, exc_value, tb)
62  
-    html = reporter.get_traceback_html()
63  
-    return HttpResponseServerError(html, mimetype='text/html')
  62
+    if request.is_ajax():
  63
+        text = reporter.get_traceback_text()
  64
+        return HttpResponseServerError(text, mimetype='text/plain')
  65
+    else:
  66
+        html = reporter.get_traceback_html()
  67
+        return HttpResponseServerError(html, mimetype='text/html')
64 68
 
65 69
 # Cache for the default exception reporter filter instance.
66 70
 default_exception_reporter_filter = None
@@ -201,8 +205,8 @@ def __init__(self, request, exc_type, exc_value, tb, is_email=False):
201 205
             self.exc_value = Exception('Deprecated String Exception: %r' % self.exc_type)
202 206
             self.exc_type = type(self.exc_value)
203 207
 
204  
-    def get_traceback_html(self):
205  
-        "Return HTML code for traceback."
  208
+    def get_traceback_data(self):
  209
+        "Return a Context instance containing traceback information."
206 210
 
207 211
         if self.exc_type and issubclass(self.exc_type, TemplateDoesNotExist):
208 212
             from django.template.loader import template_source_loaders
@@ -240,8 +244,7 @@ def get_traceback_html(self):
240 244
                 unicode_str = self.exc_value.args[1]
241 245
                 unicode_hint = smart_unicode(unicode_str[max(start-5, 0):min(end+5, len(unicode_str))], 'ascii', errors='replace')
242 246
         from django import get_version
243  
-        t = Template(TECHNICAL_500_TEMPLATE, name='Technical 500 template')
244  
-        c = Context({
  247
+        c = {
245 248
             'is_email': self.is_email,
246 249
             'unicode_hint': unicode_hint,
247 250
             'frames': frames,
@@ -256,7 +259,7 @@ def get_traceback_html(self):
256 259
             'template_info': self.template_info,
257 260
             'template_does_not_exist': self.template_does_not_exist,
258 261
             'loader_debug_info': self.loader_debug_info,
259  
-        })
  262
+        }
260 263
         # Check whether exception info is available
261 264
         if self.exc_type:
262 265
             c['exception_type'] = self.exc_type.__name__
@@ -264,6 +267,18 @@ def get_traceback_html(self):
264 267
             c['exception_value'] = smart_unicode(self.exc_value, errors='replace')
265 268
         if frames:
266 269
             c['lastframe'] = frames[-1]
  270
+        return c
  271
+
  272
+    def get_traceback_html(self):
  273
+        "Return HTML version of debug 500 HTTP error page."
  274
+        t = Template(TECHNICAL_500_TEMPLATE, name='Technical 500 template')
  275
+        c = Context(self.get_traceback_data())
  276
+        return t.render(c)
  277
+
  278
+    def get_traceback_text(self):
  279
+        "Return plain text version of debug 500 HTTP error page."
  280
+        t = Template(TECHNICAL_500_TEXT_TEMPLATE, name='Technical 500 template')
  281
+        c = Context(self.get_traceback_data(), autoescape=False)
267 282
         return t.render(c)
268 283
 
269 284
     def get_template_exception_info(self):
@@ -890,6 +905,67 @@ def empty_urlconf(request):
890 905
 </html>
891 906
 """
892 907
 
  908
+TECHNICAL_500_TEXT_TEMPLATE = """{% firstof exception_type 'Report' %}{% if request %} at {{ request.path_info }}{% endif %}
  909
+{% firstof exception_value 'No exception supplied' %}
  910
+{% if request %}
  911
+Request Method: {{ request.META.REQUEST_METHOD }}
  912
+Request URL: {{ request.build_absolute_uri }}{% endif %}
  913
+Django Version: {{ django_version_info }}
  914
+Python Executable: {{ sys_executable }}
  915
+Python Version: {{ sys_version_info }}
  916
+Python Path: {{ sys_path }}
  917
+Server time: {{server_time|date:"r"}}
  918
+Installed Applications:
  919
+{{ settings.INSTALLED_APPS|pprint }}
  920
+Installed Middleware:
  921
+{{ settings.MIDDLEWARE_CLASSES|pprint }}
  922
+{% if template_does_not_exist %}Template loader Error:
  923
+{% if loader_debug_info %}Django tried loading these templates, in this order:
  924
+{% for loader in loader_debug_info %}Using loader {{ loader.loader }}:
  925
+{% for t in loader.templates %}{{ t.name }} (File {% if t.exists %}exists{% else %}does not exist{% endif %})
  926
+{% endfor %}{% endfor %}
  927
+{% else %}Django couldn't find any templates because your TEMPLATE_LOADERS setting is empty!
  928
+{% endif %}
  929
+{% endif %}{% if template_info %}
  930
+Template error:
  931
+In template {{ template_info.name }}, error at line {{ template_info.line }}
  932
+   {{ template_info.message }}{% for source_line in template_info.source_lines %}{% ifequal source_line.0 template_info.line %}
  933
+   {{ source_line.0 }} : {{ template_info.before }} {{ template_info.during }} {{ template_info.after }}
  934
+{% else %}
  935
+   {{ source_line.0 }} : {{ source_line.1 }}
  936
+   {% endifequal %}{% endfor %}{% endif %}{% if frames %}
  937
+Traceback:
  938
+{% for frame in frames %}File "{{ frame.filename }}" in {{ frame.function }}
  939
+{% if frame.context_line %}  {{ frame.lineno }}. {{ frame.context_line }}{% endif %}
  940
+{% endfor %}
  941
+{% if exception_type %}Exception Type: {{ exception_type }}{% if request %} at {{ request.path_info }}{% endif %}
  942
+{% if exception_value %}Exception Value: {{ exception_value }}{% endif %}{% endif %}{% endif %}
  943
+{% if request %}Request information:
  944
+GET:{% for k, v in request.GET.items %}
  945
+{{ k }} = {{ v|stringformat:"r" }}{% empty %} No GET data{% endfor %}
  946
+
  947
+POST:{% for k, v in filtered_POST.items %}
  948
+{{ k }} = {{ v|stringformat:"r" }}{% empty %} No POST data{% endfor %}
  949
+
  950
+FILES:{% for k, v in request.FILES.items %}
  951
+{{ k }} = {{ v|stringformat:"r" }}{% empty %} No FILES data{% endfor %}
  952
+
  953
+COOKIES:{% for k, v in request.COOKIES.items %}
  954
+{{ k }} = {{ v|stringformat:"r" }}{% empty %} No cookie data{% endfor %}
  955
+
  956
+META:{% for k, v in request.META.items|dictsort:"0" %}
  957
+{{ k }} = {{ v|stringformat:"r" }}{% endfor %}
  958
+{% else %}Request data not supplied
  959
+{% endif %}
  960
+Settings:
  961
+Using settings module {{ settings.SETTINGS_MODULE }}{% for k, v in settings.items|dictsort:"0" %}
  962
+{{ k }} = {{ v|stringformat:"r" }}{% endfor %}
  963
+
  964
+You're seeing this error because you have DEBUG = True in your
  965
+Django settings file. Change that to False, and Django will
  966
+display a standard 500 page.
  967
+"""
  968
+
893 969
 TECHNICAL_404_TEMPLATE = """
894 970
 <!DOCTYPE html>
895 971
 <html lang="en">
11  docs/releases/1.4.txt
@@ -339,6 +339,17 @@ Django 1.4 also includes several smaller improvements worth noting:
339 339
   be able to retrieve a translation string without displaying it but setting
340 340
   a template context variable instead.
341 341
 
  342
+* A new plain text version of the HTTP 500 status code internal error page
  343
+  served when :setting:`DEBUG` is ``True`` is now sent to the client when
  344
+  Django detects that the request has originated in JavaScript code
  345
+  (:meth:`~django.http.HttpRequest.is_ajax` is used for this).
  346
+
  347
+  Similarly to its HTML counterpart, it contains a collection of different
  348
+  pieces of information about the state of the web application.
  349
+
  350
+  This should make it easier to read when debugging interaction with
  351
+  client-side Javascript code.
  352
+
342 353
 .. _backwards-incompatible-changes-1.4:
343 354
 
344 355
 Backwards incompatible changes in 1.4
176  tests/regressiontests/views/tests/debug.py
@@ -171,45 +171,104 @@ def test_message_only(self):
171 171
         self.assertIn('<p>Request data not supplied</p>', html)
172 172
 
173 173
 
174  
-class ExceptionReporterFilterTests(TestCase):
175  
-    """
176  
-    Ensure that sensitive information can be filtered out of error reports.
177  
-    Refs #14614.
178  
-    """
  174
+class PlainTextReportTests(TestCase):
179 175
     rf = RequestFactory()
  176
+
  177
+    def test_request_and_exception(self):
  178
+        "A simple exception report can be generated"
  179
+        try:
  180
+            request = self.rf.get('/test_view/')
  181
+            raise ValueError("Can't find my keys")
  182
+        except ValueError:
  183
+            exc_type, exc_value, tb = sys.exc_info()
  184
+        reporter = ExceptionReporter(request, exc_type, exc_value, tb)
  185
+        text = reporter.get_traceback_text()
  186
+        self.assertIn('ValueError at /test_view/', text)
  187
+        self.assertIn("Can't find my keys", text)
  188
+        self.assertIn('Request Method:', text)
  189
+        self.assertIn('Request URL:', text)
  190
+        self.assertIn('Exception Type:', text)
  191
+        self.assertIn('Exception Value:', text)
  192
+        self.assertIn('Traceback:', text)
  193
+        self.assertIn('Request information:', text)
  194
+        self.assertNotIn('Request data not supplied', text)
  195
+
  196
+    def test_no_request(self):
  197
+        "An exception report can be generated without request"
  198
+        try:
  199
+            raise ValueError("Can't find my keys")
  200
+        except ValueError:
  201
+            exc_type, exc_value, tb = sys.exc_info()
  202
+        reporter = ExceptionReporter(None, exc_type, exc_value, tb)
  203
+        text = reporter.get_traceback_text()
  204
+        self.assertIn('ValueError', text)
  205
+        self.assertIn("Can't find my keys", text)
  206
+        self.assertNotIn('Request Method:', text)
  207
+        self.assertNotIn('Request URL:', text)
  208
+        self.assertIn('Exception Type:', text)
  209
+        self.assertIn('Exception Value:', text)
  210
+        self.assertIn('Traceback:', text)
  211
+        self.assertIn('Request data not supplied', text)
  212
+
  213
+    def test_no_exception(self):
  214
+        "An exception report can be generated for just a request"
  215
+        request = self.rf.get('/test_view/')
  216
+        reporter = ExceptionReporter(request, None, None, None)
  217
+        text = reporter.get_traceback_text()
  218
+
  219
+    def test_request_and_message(self):
  220
+        "A message can be provided in addition to a request"
  221
+        request = self.rf.get('/test_view/')
  222
+        reporter = ExceptionReporter(request, None, "I'm a little teapot", None)
  223
+        text = reporter.get_traceback_text()
  224
+
  225
+    def test_message_only(self):
  226
+        reporter = ExceptionReporter(None, None, "I'm a little teapot", None)
  227
+        text = reporter.get_traceback_text()
  228
+
  229
+
  230
+class ExceptionReportTestMixin(object):
  231
+
  232
+    # Mixin used in the ExceptionReporterFilterTests and
  233
+    # AjaxResponseExceptionReporterFilter tests below
  234
+
180 235
     breakfast_data = {'sausage-key': 'sausage-value',
181 236
                       'baked-beans-key': 'baked-beans-value',
182 237
                       'hash-brown-key': 'hash-brown-value',
183 238
                       'bacon-key': 'bacon-value',}
184 239
 
185  
-    def verify_unsafe_response(self, view):
  240
+    def verify_unsafe_response(self, view, check_for_vars=True):
186 241
         """
187 242
         Asserts that potentially sensitive info are displayed in the response.
188 243
         """
189 244
         request = self.rf.post('/some_url/', self.breakfast_data)
190 245
         response = view(request)
191  
-        # All variables are shown.
192  
-        self.assertContains(response, 'cooked_eggs', status_code=500)
193  
-        self.assertContains(response, 'scrambled', status_code=500)
194  
-        self.assertContains(response, 'sauce', status_code=500)
195  
-        self.assertContains(response, 'worcestershire', status_code=500)
  246
+        if check_for_vars:
  247
+            # All variables are shown.
  248
+            self.assertContains(response, 'cooked_eggs', status_code=500)
  249
+            self.assertContains(response, 'scrambled', status_code=500)
  250
+            self.assertContains(response, 'sauce', status_code=500)
  251
+            self.assertContains(response, 'worcestershire', status_code=500)
  252
+
196 253
         for k, v in self.breakfast_data.items():
197 254
             # All POST parameters are shown.
198 255
             self.assertContains(response, k, status_code=500)
199 256
             self.assertContains(response, v, status_code=500)
200 257
 
201  
-    def verify_safe_response(self, view):
  258
+    def verify_safe_response(self, view, check_for_vars=True):
202 259
         """
203 260
         Asserts that certain sensitive info are not displayed in the response.
204 261
         """
205 262
         request = self.rf.post('/some_url/', self.breakfast_data)
206 263
         response = view(request)
207  
-        # Non-sensitive variable's name and value are shown.
208  
-        self.assertContains(response, 'cooked_eggs', status_code=500)
209  
-        self.assertContains(response, 'scrambled', status_code=500)
210  
-        # Sensitive variable's name is shown but not its value.
211  
-        self.assertContains(response, 'sauce', status_code=500)
212  
-        self.assertNotContains(response, 'worcestershire', status_code=500)
  264
+        if check_for_vars:
  265
+            # Non-sensitive variable's name and value are shown.
  266
+            self.assertContains(response, 'cooked_eggs', status_code=500)
  267
+            self.assertContains(response, 'scrambled', status_code=500)
  268
+            # Sensitive variable's name is shown but not its value.
  269
+            self.assertContains(response, 'sauce', status_code=500)
  270
+            self.assertNotContains(response, 'worcestershire', status_code=500)
  271
+
213 272
         for k, v in self.breakfast_data.items():
214 273
             # All POST parameters' names are shown.
215 274
             self.assertContains(response, k, status_code=500)
@@ -220,17 +279,19 @@ def verify_safe_response(self, view):
220 279
         self.assertNotContains(response, 'sausage-value', status_code=500)
221 280
         self.assertNotContains(response, 'bacon-value', status_code=500)
222 281
 
223  
-    def verify_paranoid_response(self, view):
  282
+    def verify_paranoid_response(self, view, check_for_vars=True):
224 283
         """
225 284
         Asserts that no variables or POST parameters are displayed in the response.
226 285
         """
227 286
         request = self.rf.post('/some_url/', self.breakfast_data)
228 287
         response = view(request)
229  
-        # Show variable names but not their values.
230  
-        self.assertContains(response, 'cooked_eggs', status_code=500)
231  
-        self.assertNotContains(response, 'scrambled', status_code=500)
232  
-        self.assertContains(response, 'sauce', status_code=500)
233  
-        self.assertNotContains(response, 'worcestershire', status_code=500)
  288
+        if check_for_vars:
  289
+            # Show variable names but not their values.
  290
+            self.assertContains(response, 'cooked_eggs', status_code=500)
  291
+            self.assertNotContains(response, 'scrambled', status_code=500)
  292
+            self.assertContains(response, 'sauce', status_code=500)
  293
+            self.assertNotContains(response, 'worcestershire', status_code=500)
  294
+
234 295
         for k, v in self.breakfast_data.items():
235 296
             # All POST parameters' names are shown.
236 297
             self.assertContains(response, k, status_code=500)
@@ -303,6 +364,14 @@ def verify_paranoid_email(self, view):
303 364
                 # No POST parameters' values are shown.
304 365
                 self.assertNotIn(v, email.body)
305 366
 
  367
+
  368
+class ExceptionReporterFilterTests(TestCase, ExceptionReportTestMixin):
  369
+    """
  370
+    Ensure that sensitive information can be filtered out of error reports.
  371
+    Refs #14614.
  372
+    """
  373
+    rf = RequestFactory()
  374
+
306 375
     def test_non_sensitive_request(self):
307 376
         """
308 377
         Ensure that everything (request info and frame variables) can bee seen
@@ -354,3 +423,62 @@ def test_custom_exception_reporter_filter(self):
354 423
         with self.settings(DEBUG=False):
355 424
             self.verify_unsafe_response(custom_exception_reporter_filter_view)
356 425
             self.verify_unsafe_email(custom_exception_reporter_filter_view)
  426
+
  427
+
  428
+class AjaxResponseExceptionReporterFilter(TestCase, ExceptionReportTestMixin):
  429
+    """
  430
+    Ensure that sensitive information can be filtered out of error reports.
  431
+
  432
+    Here we specifically test the plain text 500 debug-only error page served
  433
+    when it has been detected the request was sent by JS code. We don't check
  434
+    for (non)existence of frames vars in the traceback information section of
  435
+    the response content because we don't include them in these error pages.
  436
+    Refs #14614.
  437
+    """
  438
+    rf = RequestFactory(HTTP_X_REQUESTED_WITH='XMLHttpRequest')
  439
+
  440
+    def test_non_sensitive_request(self):
  441
+        """
  442
+        Ensure that request info can bee seen in the default error reports for
  443
+        non-sensitive requests.
  444
+        """
  445
+        with self.settings(DEBUG=True):
  446
+            self.verify_unsafe_response(non_sensitive_view, check_for_vars=False)
  447
+
  448
+        with self.settings(DEBUG=False):
  449
+            self.verify_unsafe_response(non_sensitive_view, check_for_vars=False)
  450
+
  451
+    def test_sensitive_request(self):
  452
+        """
  453
+        Ensure that sensitive POST parameters cannot be seen in the default
  454
+        error reports for sensitive requests.
  455
+        """
  456
+        with self.settings(DEBUG=True):
  457
+            self.verify_unsafe_response(sensitive_view, check_for_vars=False)
  458
+
  459
+        with self.settings(DEBUG=False):
  460
+            self.verify_safe_response(sensitive_view, check_for_vars=False)
  461
+
  462
+    def test_paranoid_request(self):
  463
+        """
  464
+        Ensure that no POST parameters can be seen in the default error reports
  465
+        for "paranoid" requests.
  466
+        """
  467
+        with self.settings(DEBUG=True):
  468
+            self.verify_unsafe_response(paranoid_view, check_for_vars=False)
  469
+
  470
+        with self.settings(DEBUG=False):
  471
+            self.verify_paranoid_response(paranoid_view, check_for_vars=False)
  472
+
  473
+    def test_custom_exception_reporter_filter(self):
  474
+        """
  475
+        Ensure that it's possible to assign an exception reporter filter to
  476
+        the request to bypass the one set in DEFAULT_EXCEPTION_REPORTER_FILTER.
  477
+        """
  478
+        with self.settings(DEBUG=True):
  479
+            self.verify_unsafe_response(custom_exception_reporter_filter_view,
  480
+                check_for_vars=False)
  481
+
  482
+        with self.settings(DEBUG=False):
  483
+            self.verify_unsafe_response(custom_exception_reporter_filter_view,
  484
+                check_for_vars=False)

0 notes on commit 0d9b6a5

Please sign in to comment.
Something went wrong with that request. Please try again.