using wsgi.py, set debug mode equal to web.config.debug #35

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
2 participants
Contributor

irrelative commented Dec 2, 2010

Version of flup (in ubuntu 10.04 anyway) defaults debug=True. This can lead to tracebacks if webpy really fails bad -- for instance in the error handling code.

This is a problem because in flup fcgi_base.py, this exists:
if self.debug:
import cgitb
req.stdout.write('Content-Type: text/html\r\n\r\n' +
cgitb.html(sys.exc_info()))

This is ugly and potentially a security issue.

Contributor

anandology commented Dec 2, 2010

Why not set flup debug=False always?

Contributor

irrelative commented Dec 2, 2010

That's fine too. I don't mind the stack trace if I'm explicitly in debug=True mode -- I encountered this when I had a typo in my error handler. It gave away more information than I would have liked, but was useful for determining what I screwed up.

Contributor

anandology commented Dec 3, 2010

web.debugerror already gives a nice stack trace. Does it have any more info?

Contributor

irrelative commented Dec 3, 2010

agreed, debugerror is the common error message. This stack trace displays, however, if debugerror fails for some reason -- for instance, an encoding issue. Here's the issue:

app = web.application(...)
def new_error():
1 / 0 # dividing by zero, or something dumb
raise web.internalerror('ooops')
app.internalerror = new_error

Currently in a deployed application, you'd get a stack trace no matter what. This exposes stuff like where your files live, that you're using python, etc -- not good security practices. With my change you'd still see this stack trace, which could be handy to find the 0 division error, but only with web.debug explicitly turned on.

It's a fairly rare situation, but I've seen it a couple times and the python stack is ugly.

Contributor

irrelative commented Dec 6, 2010

Ok, we can just explicitly set the flag to False. It should be done -- it's present in that last commit by me (though commented as a revert...)

Contributor

anandology commented Jan 7, 2011

Explicitly pass debug=False to flup server (tx irrelative). (closed by 5e276f3)

Version of flup in ubuntu 10.04 has debug=True as default. This is a security issue as it can expose tracebacks.

anandology added a commit to anandology/webpy that referenced this pull request May 3, 2011

Explicitly pass debug=False to flup server (tx irrelative). (closes #35)
Version of flup in ubuntu 10.04 has debug=True as default. This is a security issue as it can expose tracebacks.

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment