Opened 9 years ago

Closed 6 years ago

#12909 closed Bug (duplicate)

Exceptions raised in response middleware don't invoke site 500/404 handlers.

Reported by: jhovanny Owned by: nobody
Component: Core (Other) Version: 1.2-beta
Severity: Normal Keywords:
Cc: crucialfelix@…, gary.wilson@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Julien Phalip)

If there is an error connecting to the session database, the session middleware throws an Exception that's visible regardless of the DEBUG setting. The stack trace appears in a blank page (non-conforming to the standard debug template). To reproduce this ticket, drop the django_session table and try to login to any django application. The expected behavior is not to show a stack trace when DEBUG=False

Traceback (most recent call last):

  File "/usr/local/lib/python2.6/dist-packages/django/core/servers/", line 280, in run
    self.result = application(self.environ, self.start_response)

  File "/usr/local/lib/python2.6/dist-packages/django/core/servers/", line 674, in __call__
    return self.application(environ, start_response)

  File "/usr/local/lib/python2.6/dist-packages/django/core/handlers/", line 245, in __call__
    response = middleware_method(request, response)

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/", line 36, in process_response

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/", line 57, in save
    session_key = self.session_key,

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/", line 152, in _get_session_key
    self._session_key = self._get_new_session_key()

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/", line 144, in _get_new_session_key
    if not self.exists(session_key):

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/", line 30, in exists

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/", line 132, in get
    return self.get_query_set().get(*args, **kwargs)

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/", line 334, in get
    num = len(clone)

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/", line 79, in __len__
    self._result_cache = list(self.iterator())

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/", line 267, in iterator
    for row in compiler.results_iter():

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/sql/", line 685, in results_iter
    for rows in self.execute_sql(MULTI):

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/sql/", line 740, in execute_sql
    cursor.execute(sql, params)

  File "/usr/local/lib/python2.6/dist-packages/django/db/backends/", line 19, in execute
    return self.cursor.execute(sql, params)

  File "/usr/local/lib/python2.6/dist-packages/django/db/backends/postgresql_psycopg2/", line 44, in execute
    return self.cursor.execute(query, args)

DatabaseError: relation "django_session" does not exist
LINE 1: ...ession_data", "django_session"."expire_date" FROM "django_se...

Attachments (1)

12909.diff (1.8 KB) - added by crucialfelix@… 9 years ago.
django/core/handlers/ handle exception thrown from middleware

Download all attachments as: .zip

Change History (12)

comment:1 Changed 9 years ago by Russell Keith-Magee

Component: django.contrib.sessionsCore framework
milestone: 1.2
Summary: Session Middleware ignores DEBUG setting - Potential Security IssueExceptions raised in response middleware don't invoke site 500/404 handlers.
Triage Stage: UnreviewedAccepted

Correcting the title to remove the scaremongering. This isn't even remotely a security issue. There is nothing private or exploitable being released here.

On that note - it doesn't matter now, but *PLEASE* don't report security issues in Trac. [See Django's security policy] for instructions on how to report potential security problems.

Now - back to the ticket.

The issue here is that exceptions raised in a process_response component of a middleware don't invoke the 500 handling infrastructure.

Changed 9 years ago by crucialfelix@…

Attachment: 12909.diff added

django/core/handlers/ handle exception thrown from middleware

comment:2 Changed 9 years ago by crucialfelix@…

Cc: crucialfelix@… added
Has patch: set

comment:3 Changed 9 years ago by crucialfelix@…

side note to jhovanny:

Your server's 500 page should just say 500 Internal Error. I'm not sure how it could be displaying the python exception. The error would go to your server log.

Use paste to wrap django's wsgi for an added layer of protection. Django is not infallible. Spills happen, admins like to be notified.

from paste.exceptions.errormiddleware import ErrorMiddleware
application = ErrorMiddleware( django_wsgi, debug=False, error_email='crucialfelix@…', show_exceptions_in_wsgi_errors=True, from_address='admin@…',error_message='500 Internal Error' )

This gives a very sober and simple 500 error page for the user and emails me a full stack trace. Exceptions like these are rare. You can customize the 500 page a bit if you need to.

comment:4 Changed 8 years ago by Luke Plant

Type: Bug

comment:5 Changed 8 years ago by Luke Plant

Severity: Normal

comment:6 Changed 8 years ago by Gary Wilson

Cc: gary.wilson@… added

comment:7 Changed 8 years ago by Julien Phalip

Description: modified (diff)
Needs tests: set

comment:8 Changed 7 years ago by Aymeric Augustin

UI/UX: unset

Change UI/UX from NULL to False.

comment:9 Changed 7 years ago by Aymeric Augustin

Easy pickings: unset

Change Easy pickings from NULL to False.

comment:10 Changed 7 years ago by kevin1024

Is this a duplicate of #12250

comment:11 Changed 6 years ago by Aymeric Augustin

Resolution: duplicate
Status: newclosed

It is.

Note: See TracTickets for help on using tickets.
Back to Top