Opened 14 years ago

Closed 4 years ago

#11919 closed New feature (duplicate) feature in debug traceback view should be optional

Reported by: mike w Owned by: nobody
Component: Error reporting Version: dev
Severity: Normal Keywords:
Cc: Zach Borboa Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no


In the default debug stacktrace view, the "copy-and-paste view" includes a helpful form to submit the traceback to When the (very large) form submit button is clicked, the full stack trace and environment is immediately posted to

This feature poses security risk: a careless click can immediately publish a stack trace to third-party site, with no protection of the data in transit, and no access controls at the remote side. For individuals or organizations working on confidential projects, there is typically no interest in sharing any information externally.

It does require two clicks to cause such an accident (one to toggle copy-and-paste view, another to submit the form), making it unlikely to happen -- but we have had it happen, and at my organization we'd sleep far better with this feature disabled on all projects.

Suggestion 1: Make use of this pastebin an optional feature (patch attached).

Suggestion 2: Make this feature default disabled (flip bit in attached patch; default preserves existing behavior).

Suggestion 3: Make the pastebin form customizable, so that a provider other than dpaste may be used (for example, an internal pastebin.) I don't have much interest in this, so I've not attempted the larger change.


Attachments (1)

django-dpaste-optional.diff (1.9 KB) - added by mike w 14 years ago.
patch to add ENABLE_DPASTE setting

Download all attachments as: .zip

Change History (10)

Changed 14 years ago by mike w

Attachment: django-dpaste-optional.diff added

patch to add ENABLE_DPASTE setting

comment:1 Changed 14 years ago by Russell Keith-Magee

Patch needs improvement: set
Triage Stage: UnreviewedAccepted

I think your option 3 is a better approach. Accepting on that basis.

comment:2 Changed 13 years ago by Julien Phalip

Severity: Normal
Type: New feature

comment:3 Changed 12 years ago by Aymeric Augustin

UI/UX: unset

Change UI/UX from NULL to False.

comment:4 Changed 12 years ago by Aymeric Augustin

Easy pickings: unset

Change Easy pickings from NULL to False.

comment:5 Changed 9 years ago by Zach Borboa

Cc: Zach Borboa added

comment:6 Changed 9 years ago by Berker Peksag

Patch needs improvement: unset
Version: 1.1master

comment:7 Changed 9 years ago by Tim Graham

Patch needs improvement: set

Comments for improvement are on the PR.

comment:8 Changed 8 years ago by Tim Graham

Component: Core (Other)Error reporting

comment:9 Changed 4 years ago by Carlton Gibson

Resolution: duplicate
Status: newclosed

#30752 (Django 3.1) allows providing a custom ExceptionReporter sublcass. That will be the place to add the logic you need (overriding get_traceback_html() to use a customised template).

Note: See TracTickets for help on using tickets.
Back to Top