Rossen Raykov wrote:
There are two completely different things:
1. the server log 2. the output to the client.
In the first case you may log everything that you thing it is reasonable - stack traces and dumps, relative and absolute paths, etc. It can may be assumed that is secure since in general it is not accessible out of the box. My personal opinion is that even this log have to differ if -D (debug option) is misplayed.
In the second case it is better if Zope is returning just the error or the response. In the XML-RPC case the error have to be a valid XML-RPC response, not a stack trace. I can get that a stack trace may be extremely useful for a developer but cant he see the server's error log? BW if a program is expecting XML-RPC response but it is receiving stack trace it may be a little confusing (especially for a not so well written program ;). Zope first have to conform the protocol for XML-RPC exchange (return XML response) and after that to sweet the developers (dump error in the server's log).
Regards, Rossen
Hmm, but it may hurt people which only work through the web, now they may need a shell account to get information vital for their work... What about setting up a permission "can see full error message" and just deny that for anonymous. A customizable standard_error_message would do too, I think. cheers, oliver