Description
Feature request: add the ability for a Wiki to disable the verbose debugging output (which shows installation paths, versions, hostnames, etc). (This is also CVE-2007-0902)
Steps to reproduce
Hit an exception in MoinMoin: http://moinmoin.wikiwikiweb.de/?action=info&general=exception
Observe too many details: Platform: Linux web.thinkmo.de 2.6.17-thinkmo-1 #1 SMP Sat Jul 29 17:36:42 CEST 2006 x86_64
Example
Add "show_traceback" option to configuration. Retain current behavior by defaulting to "1".
Component selection
- failure.py
Details
See attached patch for a possible solution: add-show_traceback.diff
Workaround
None.
Discussion
The suggested solution assume that the wiki configuration is accessible, which is not true if your configuration is broken. This is the reason we chose to use a combination of environment variable (set in you main script) and a request parameter, which can be added in the url.
The change should be this:
- The default should be to save tracebacks to a safe log file on the server. If a log was saved, the error can display the name of the saved traceback.
- Environment variable or request parameter can be used to enable tracebacks
Extensions:
- If a request parameter was given but request parameters are not accessible (e.g request code is broken), a traceback will be saved to disk.
I think there should be a better solution. Just dumping the traceback to some file on the server makes debugging harder, as it involves more people and more effort to get a traceback to moin development. Maybe some email-based solution, sending the traceback to some configured email address? -- ThomasWaldmann 2007-03-17 13:22:56
Plan
- Priority:
Assigned to: ThomasWaldmann
- Status: feature added to 1.5 branch (together with a notice about that we will reject bug reports when not enough information is given)