Removing tracebacks from error message
I thought I solved this problem a while ago, but if so I can't remember how. I have a custom error page in Zope (2.1.6), but Zope wants to put the traceback information into an HTML comment at the foot of the page (which I don't want to have there). I set BOBO_DEBUG_MODE=0 and exported it in the "start" script, and also removed the "-D" from the command line that launches Z2.py. I thought that was all there was to it, but there must be something else that I've forgotten. Any ideas? Thanks. David Trudgett
On Thu, Aug 10, 2000 at 03:30:00PM -1000, David Trudgett wrote:
I thought I solved this problem a while ago, but if so I can't remember how. I have a custom error page in Zope (2.1.6), but Zope wants to put the traceback information into an HTML comment at the foot of the page (which I don't want to have there). I set BOBO_DEBUG_MODE=0 and exported it in the "start" script, and also removed the "-D" from the command line that launches Z2.py. I thought that was all there was to it, but there must be something else that I've forgotten.
Just removing the -D flag should do it. It may be that just having 'BOBO_DEBUG_MODE' defined (whatever the value you set it to) triggers debug mode, so defining 'BOBO_DEBUG_MODE=0' may well set Debug Mode on :) -- Martijn Pieters | Software Engineer mailto:mj@digicool.com | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio -----------------------------------------------------
Martijn Pieters wrote:
On Thu, Aug 10, 2000 at 03:30:00PM -1000, David Trudgett wrote:
I thought I solved this problem a while ago, but if so I can't remember how. I have a custom error page in Zope (2.1.6), but Zope wants to put the traceback information into an HTML comment at the foot of the page (which I don't want to have there). I set BOBO_DEBUG_MODE=0 and exported it in the "start" script, and also removed the "-D" from the command line that launches Z2.py. I thought that was all there was to it, but there must be something else that I've forgotten.
Just removing the -D flag should do it. It may be that just having 'BOBO_DEBUG_MODE' defined (whatever the value you set it to) triggers debug mode, so defining 'BOBO_DEBUG_MODE=0' may well set Debug Mode on :)
I think what David means is that, when not in debug mode, Zope appends the error in HTML comments to the end of the HTML stream. There was a thread on this not long ago and, IIRC, this was found to be hard coded into Zope. My own view is that Zope shouldn't stick any error messages into or on the end of error reports. At best, it's bad HTML, at worst it's a security risk (the python traceback includes the full paths of the files on the machine...) If you want an error report/traceback, you should specifically include it in standard_error_message. Has anyone put this in the collector, or is it more suited to dev.zope.org? cheers, Chris
At 2000-08-14 13:33 +0100, Chris Withers <chrisw@nipltd.com> wrote:
Martijn Pieters wrote:
On Thu, Aug 10, 2000 at 03:30:00PM -1000, David Trudgett wrote:
I thought I solved this problem a while ago, but if so I can't remember how. I have a custom error page in Zope (2.1.6), but Zope wants to put the traceback information into an HTML comment at the foot of the page (which I don't want to have there). I set BOBO_DEBUG_MODE=0 and exported it in the "start" script, and also removed the "-D" from the command line that launches Z2.py. I thought that was all there was to it, but there must be something else that I've forgotten.
Just removing the -D flag should do it. It may be that just having 'BOBO_DEBUG_MODE' defined (whatever the value you set it to) triggers debug mode, so defining 'BOBO_DEBUG_MODE=0' may well set Debug Mode on :)
I think what David means is that, when not in debug mode, Zope appends the error in HTML comments to the end of the HTML stream. There was a thread on this not long ago and, IIRC, this was found to be hard coded into Zope.
OK, looks like some Zope hacking to do... :-(
My own view is that Zope shouldn't stick any error messages into or on the end of error reports. At best, it's bad HTML, at worst it's a security risk (the python traceback includes the full paths of the files on the machine...) If you want an error report/traceback, you should specifically include it in standard_error_message.
Agreed. It's just plain dumb (not to mention embarrassingly unprofessional) to put content after the </html> tag. My main concern, though, is the security aspect. The less potential crackers know, the better. At the very least, a traceback like that says: "Hey, this is a Zope site." To which the wiley cracker replies, "Great. Now lets try all the known Zope vulnerabilities." Obviously, security by obscurity is not a good idea, but obscurity is not a bad idea, either :-) Apart from all of that, there is the issue of content being added that wasn't requested. That's a bit impolite, I think.
Has anyone put this in the collector, or is it more suited to dev.zope.org?
I'd classify it as a bug for the collector, myself... I think there's also a related issue of a hard-coded error message page in the guts of Zope somewhere, because the user-defined error page is not used in every case...
cheers,
Chris
Sorry for the whinge, guys and gals! Zope is still great! Bye for now. David Trudgett
participants (3)
-
Chris Withers -
David Trudgett -
Martijn Pieters