This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2012年01月08日 07:52 by Bithin.A, last changed 2022年04月11日 14:57 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| Screenshot at 2012年01月08日 13:11:43.png | Bithin.A, 2012年01月08日 07:52 | |||
| Messages (6) | |||
|---|---|---|---|
| msg150852 - (view) | Author: Bithin A (Bithin.A) | Date: 2012年01月08日 07:52 | |
I am getting an Django error when I was trying to review a patch. This error has occurred in the site as the DEBUG mode in the Django settings file is set to True. It is a security issue and should be set to false. I am attaching the screen shot of the error which I have come across. |
|||
| msg150903 - (view) | Author: Martin v. Löwis (loewis) * (Python committer) | Date: 2012年01月08日 20:50 | |
I disagree that this is a security issue, or an issue at all. All source code of the site is in a public subversion repository, available for review to any attacker (as well as any security review) - and that is deliberately so because we fundamentally believe in openness of source code. I fail to see why making the traceback available would pose any additional threat. Having the traceback is lightly helpful when people actually do encounter bugs and report them. |
|||
| msg150918 - (view) | Author: Bithin A (Bithin.A) | Date: 2012年01月09日 03:29 | |
The bugs.python.org/review is a running application and it is very bad to see debug error messages. |
|||
| msg151192 - (view) | Author: Georg Brandl (georg.brandl) * (Python committer) | Date: 2012年01月13日 20:39 | |
While the actual code may be accessible to everyone, the server configuration (paths etc. -- just look at the page; at least the session secret key and passwords are masked by Django) are not, and exposing that can be a security problem as well. And while I agree that this possibility appears remote, just look at the current discussion about hashing attacks. Running in debug mode also simply looks bad to just about every web programmer, which explains this bug report. Lastly, setting DEBUG to true also has other consequences, like the possibility to "leak" memory for long-running processes, as explained here: https://docs.djangoproject.com/en/1.3/faq/models/ |
|||
| msg151216 - (view) | Author: Éric Araujo (eric.araujo) * (Python committer) | Date: 2012年01月14日 03:45 | |
(FWIW this tracker is used for what is distributed as CPython, please use the metatracker (link on the left "Report Tracker Problem") for future reports. Thanks) |
|||
| msg151842 - (view) | Author: Ezio Melotti (ezio.melotti) * (Python committer) | Date: 2012年01月23日 21:05 | |
I now set DEBUG = False in gae2django/settings.py and rietveld/settings.py. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:57:25 | admin | set | github: 57946 |
| 2012年01月23日 21:05:04 | ezio.melotti | set | status: open -> closed nosy: + ezio.melotti messages: + msg151842 resolution: fixed stage: resolved |
| 2012年01月14日 03:45:03 | eric.araujo | set | nosy:
+ eric.araujo messages: + msg151216 |
| 2012年01月13日 20:39:32 | georg.brandl | set | nosy:
+ georg.brandl messages: + msg151192 |
| 2012年01月09日 03:29:38 | Bithin.A | set | messages: + msg150918 |
| 2012年01月08日 20:50:43 | loewis | set | priority: high -> normal messages: + msg150903 |
| 2012年01月08日 10:14:57 | georg.brandl | set | priority: normal -> high assignee: loewis nosy: + loewis title: bugs.python.org's Django settings file DEBUG=True -> bugs.python.org/review's Django settings file DEBUG=True |
| 2012年01月08日 07:52:06 | Bithin.A | create | |