At 2000-08-14 13:33 +0100, Chris Withers <chrisw@nipltd.com> wrote:
Martijn Pieters wrote:
On Thu, Aug 10, 2000 at 03:30:00PM -1000, David Trudgett wrote:
I thought I solved this problem a while ago, but if so I can't remember how. I have a custom error page in Zope (2.1.6), but Zope wants to put the traceback information into an HTML comment at the foot of the page (which I don't want to have there). I set BOBO_DEBUG_MODE=0 and exported it in the "start" script, and also removed the "-D" from the command line that launches Z2.py. I thought that was all there was to it, but there must be something else that I've forgotten.
Just removing the -D flag should do it. It may be that just having 'BOBO_DEBUG_MODE' defined (whatever the value you set it to) triggers debug mode, so defining 'BOBO_DEBUG_MODE=0' may well set Debug Mode on :)
I think what David means is that, when not in debug mode, Zope appends the error in HTML comments to the end of the HTML stream. There was a thread on this not long ago and, IIRC, this was found to be hard coded into Zope.
OK, looks like some Zope hacking to do... :-(
My own view is that Zope shouldn't stick any error messages into or on the end of error reports. At best, it's bad HTML, at worst it's a security risk (the python traceback includes the full paths of the files on the machine...) If you want an error report/traceback, you should specifically include it in standard_error_message.
Agreed. It's just plain dumb (not to mention embarrassingly unprofessional) to put content after the </html> tag. My main concern, though, is the security aspect. The less potential crackers know, the better. At the very least, a traceback like that says: "Hey, this is a Zope site." To which the wiley cracker replies, "Great. Now lets try all the known Zope vulnerabilities." Obviously, security by obscurity is not a good idea, but obscurity is not a bad idea, either :-) Apart from all of that, there is the issue of content being added that wasn't requested. That's a bit impolite, I think.
Has anyone put this in the collector, or is it more suited to dev.zope.org?
I'd classify it as a bug for the collector, myself... I think there's also a related issue of a hard-coded error message page in the guts of Zope somewhere, because the user-defined error page is not used in every case...
cheers,
Chris
Sorry for the whinge, guys and gals! Zope is still great! Bye for now. David Trudgett