[Python-ideas] Verbose traceback formatting
Mike Graham
mikegraham at gmail.com
Wed Aug 29 15:13:45 CEST 2012
On Wed, Aug 29, 2012 at 1:15 AM, Masklinn <masklinn at masklinn.net> wrote:
> It already does: http://docs.python.org/py3k/library/cgitb.html
Wow, nice! I vaguely knew cgitb existed as an HTML formatter, but I
didn't realize how much information it showed.
On Wed, Aug 29, 2012 at 2:11 AM, Masklinn <masklinn at masklinn.net> wrote:
> * Maybe move the `html` formatter to wsgiref and add a trace-formatting
> middleware which could be dropped in about any WSGI stack
On an orthogonal note, I think it may be a bad idea to take steps that
seem to encourage this sort of thing in a web app. Although there is
some tradition of displaying stacktraces on errors on the web, this a)
provides information the user shouldn't worry about and b) can
introduce security holes (and has many times). Printing out locals,
the problem only gets worse; it's easy to imagine a password or
private data getting displayed on screen or transmitted via plaintext.
It's of course possible to use this sort of tooling and turn it off in
production, but it's not really necessary and I think it is a bad idea
to make it too easy.
Mike
More information about the Python-ideas
mailing list