Opened 15 years ago
Closed 5 years ago
#11919 closed New feature (duplicate)
dpaste.com feature in debug traceback view should be optional
Reported by: | mike w | Owned by: | nobody |
---|---|---|---|
Component: | Error reporting | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Zach Borboa | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
In the default debug stacktrace view, the "copy-and-paste view" includes a helpful form to submit the traceback to dpaste.com. When the (very large) form submit button is clicked, the full stack trace and environment is immediately posted to dpaste.com.
This feature poses security risk: a careless click can immediately publish a stack trace to third-party site, with no protection of the data in transit, and no access controls at the remote side. For individuals or organizations working on confidential projects, there is typically no interest in sharing any information externally.
It does require two clicks to cause such an accident (one to toggle copy-and-paste view, another to submit the form), making it unlikely to happen -- but we have had it happen, and at my organization we'd sleep far better with this feature disabled on all projects.
Suggestion 1: Make use of this pastebin an optional feature (patch attached).
Suggestion 2: Make this feature default disabled (flip bit in attached patch; default preserves existing behavior).
Suggestion 3: Make the pastebin form customizable, so that a provider other than dpaste may be used (for example, an internal pastebin.) I don't have much interest in this, so I've not attempted the larger change.
thanks.
Attachments (1)
Change History (10)
by , 15 years ago
Attachment: | django-dpaste-optional.diff added |
---|
comment:1 by , 15 years ago
Patch needs improvement: | set |
---|---|
Triage Stage: | Unreviewed → Accepted |
I think your option 3 is a better approach. Accepting on that basis.
comment:2 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → New feature |
comment:5 by , 10 years ago
Cc: | added |
---|
comment:6 by , 10 years ago
Patch needs improvement: | unset |
---|---|
Version: | 1.1 → master |
comment:8 by , 9 years ago
Component: | Core (Other) → Error reporting |
---|
comment:9 by , 5 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
#30752 (Django 3.1) allows providing a custom ExceptionReporter sublcass. That will be the place to add the logic you need (overriding get_traceback_html()
to use a customised template).
patch to add ENABLE_DPASTE setting