I am trying to disable the traceback which appears in site error messages under "view source". I located Application.py under lib/python/OFS and also HTTPResponse.py under lib/python/ZPublisher, but am not sure where to go from here. I was able to make "site maintainer" hot using mailto:, and got rid of the paragraph telling you to view source, but I cannot figure out how to eliminate the traceback. Any suggestions? -- Michael Lewis
Michael wrote:
I am trying to disable the traceback which appears in site error messages under "view source". I located Application.py under lib/python/OFS and also HTTPResponse.py under lib/python/ZPublisher, but am not sure where to go from here.
I was able to make "site maintainer" hot using mailto:, and got rid of the paragraph telling you to view source, but I cannot figure out how to eliminate the traceback. Any suggestions?
Edit HTTPResponse.py. Attached is a diff, changing the _traceback function to not report anything if the -D flag is not specified. IMHO, you'll probably regret this :) -- ethan mindlace fremen | iMeme - The most full featured Zope Host http://mindlace.net | Root, ZEO, MySQL, Mailman, Unlimited Domains iMeme Partner | http://iMeme.net "It is our desire to remain what we are that limits us. -- Project 2501" 474c474 < else: _tbopen, _tbclose = '<!--', '-->' ---
else: _tbopen, tb, _tbclose = '','',''
On Mon, 19 Nov 2001, emf wrote:
IMHO, you'll probably regret this :)
Considering your warning, I have to ask, are there any other options? What do others do on a production site, just allow users to view their directory structure? Wouldn't this be somewhat of a security hole? I don't mind having a traceback for internal purposes, I just don't want users to have the ability to see it. ---------------------------------------- Content-Type: text/plain; name="HTTPResponse.diff" Content-Transfer-Encoding: 7bit Content-Description: ----------------------------------------
Michael wrote: I am trying to disable the traceback which appears in site error messages under "view source". I located Application.py under lib/python/OFS and also HTTPResponse.py under lib/python/ZPublisher, but am not sure where to go from here.
I was able to make "site maintainer" hot using mailto:, and got rid of the paragraph telling you to view source, but I cannot figure out how to eliminate the traceback. Any suggestions?
-- Michael Lewis
Michael wrote:
On Mon, 19 Nov 2001, emf wrote:
IMHO, you'll probably regret this :)
Considering your warning, I have to ask, are there any other options? What do others do on a production site, just allow users to view their directory structure? Wouldn't this be somewhat of a security hole? I don't mind having a traceback for internal purposes, I just don't want users to have the ability to see it.
well, the patch I gave you will not override traceback if the -D flag is turned on. You could patch it more extensively and make it email or log the traceback, if you liked. I'm not convinced it's that much of a security risk, to be honest. Indeed, "send me the error page" has been a good thing for me more than once. Basically, if your security depends on users not being able to see your directory structure, you've got big concerns that won't be addressed by hiding the traceback. HTH, -- ethan mindlace fremen | iMeme - The most full featured Zope Host http://mindlace.net | Root, ZEO, MySQL, Mailman, Unlimited Domains iMeme Partner | http://iMeme.net "It is our desire to remain what we are that limits us. -- Project 2501"
participants (2)
-
emf -
Michael