Home Original page

[Python-ideas] Verbose traceback formatting

Masklinn masklinn at masklinn.net
Wed Aug 29 15:34:35 CEST 2012 
On 29 août 2012, at 15:13, Mike Graham <mikegraham at gmail.com> wrote:
> On Wed, Aug 29, 2012 at 1:15 AM, Masklinn <masklinn at masklinn.net> wrote:
>> It already does: http://docs.python.org/py3k/library/cgitb.html
> 
> Wow, nice! I vaguely knew cgitb existed as an HTML formatter, but I
> didn't realize how much information it showed.
> 
> On Wed, Aug 29, 2012 at 2:11 AM, Masklinn <masklinn at masklinn.net> wrote:
>> * Maybe move the `html` formatter to wsgiref and add a trace-formatting
>>  middleware which could be dropped in about any WSGI stack
> 
> On an orthogonal note, I think it may be a bad idea to take steps that
> seem to encourage this sort of thing in a web app. Although there is
> some tradition of displaying stacktraces on errors on the web, this a)
> provides information the user shouldn't worry about and b) can
> introduce security holes (and has many times). Printing out locals,
> the problem only gets worse; it's easy to imagine a password or
> private data getting displayed on screen or transmitted via plaintext.
> It's of course possible to use this sort of tooling and turn it off in
> production, but it's not really necessary and I think it is a bad idea
> to make it too easy.

I don't think having middleware which needs to be added to the stack and configure makes things "too easy". Most frameworks make it way easier via a simple flag (in a settings file for django, and passed to .run for flask). 

In fact, once you know of the feature's existence I'd argue a wsgi middleware is still way harder that "cgitb.enable()", and way easier *not* to enable in production.
More information about the Python-ideas mailing list