[Zope] Removing tracebacks from error message

David Trudgett dkt@registriesltd.com.au
Mon, 14 Aug 2000 14:01:04 -1000 

At 2000-08-14 13:33 +0100, Chris Withers <chrisw@nipltd.com> wrote:
>Martijn Pieters wrote:
> > On Thu, Aug 10, 2000 at 03:30:00PM -1000, David Trudgett wrote:
> > > I thought I solved this problem a while ago, but if so I can't remember
> > > how. I have a custom error page in Zope (2.1.6), but Zope wants to 
> put the
> > > traceback information into an HTML comment at the foot of the page 
> (which I
> > > don't want to have there). I set BOBO_DEBUG_MODE=0 and exported it in the
> > > "start" script, and also removed the "-D" from the command line that
> > > launches Z2.py. I thought that was all there was to it, but there must be
> > > something else that I've forgotten.
> >
> > Just removing the -D flag should do it. It may be that just having
> > 'BOBO_DEBUG_MODE' defined (whatever the value you set it to) triggers debug
> > mode, so defining 'BOBO_DEBUG_MODE=0' may well set Debug Mode on :)
>
>I think what David means is that, when not in debug mode, Zope appends
>the error in HTML comments to the end of the HTML stream. There was a
>thread on this not long ago and, IIRC, this was found to be hard coded
>into Zope.

OK, looks like some Zope hacking to do...  :-(



>My own view is that Zope shouldn't stick any error messages into or on
>the end of error reports. At best, it's bad HTML, at worst it's a
>security risk (the python traceback includes the full paths of the files
>on the machine...) If you want an error report/traceback, you should
>specifically include it in standard_error_message.

Agreed. It's just plain dumb (not to mention embarrassingly unprofessional) 
to put content after the </html> tag. My main concern, though, is the 
security aspect. The less potential crackers know, the better. At the very 
least, a traceback like that says: "Hey, this is a Zope site." To which the 
wiley cracker replies, "Great. Now lets try all the known Zope 
vulnerabilities." Obviously, security by obscurity is not a good idea, but 
obscurity is not a bad idea, either :-)

Apart from all of that, there is the issue of content being added that 
wasn't requested. That's a bit impolite, I think.



>Has anyone put this in the collector, or is it more suited to
>dev.zope.org?

I'd classify it as a bug for the collector, myself...  I think there's also 
a related issue of a hard-coded error message page in the guts of Zope 
somewhere, because the user-defined error page is not used in every case...


>cheers,
>
>Chris


Sorry for the whinge, guys and gals! Zope is still great!


Bye for now.

David Trudgett