Opened 5 years ago

Closed 2 years ago

#12909 closed Bug (duplicate)

Exceptions raised in response middleware don't invoke site 500/404 handlers.

Reported by: jhovanny Owned by: nobody
Component: Core (Other) Version: 1.2-beta
Severity: Normal Keywords:
Cc: crucialfelix@…, gary.wilson@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by julien)

If there is an error connecting to the session database, the session middleware throws an Exception that's visible regardless of the DEBUG setting. The stack trace appears in a blank page (non-conforming to the standard debug template). To reproduce this ticket, drop the django_session table and try to login to any django application. The expected behavior is not to show a stack trace when DEBUG=False

Traceback (most recent call last):

  File "/usr/local/lib/python2.6/dist-packages/django/core/servers/basehttp.py", line 280, in run
    self.result = application(self.environ, self.start_response)

  File "/usr/local/lib/python2.6/dist-packages/django/core/servers/basehttp.py", line 674, in __call__
    return self.application(environ, start_response)

  File "/usr/local/lib/python2.6/dist-packages/django/core/handlers/wsgi.py", line 245, in __call__
    response = middleware_method(request, response)

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/middleware.py", line 36, in process_response
    request.session.save()

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/db.py", line 57, in save
    session_key = self.session_key,

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/base.py", line 152, in _get_session_key
    self._session_key = self._get_new_session_key()

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/base.py", line 144, in _get_new_session_key
    if not self.exists(session_key):

  File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/db.py", line 30, in exists
    Session.objects.get(session_key=session_key)

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/manager.py", line 132, in get
    return self.get_query_set().get(*args, **kwargs)

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py", line 334, in get
    num = len(clone)

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py", line 79, in __len__
    self._result_cache = list(self.iterator())

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py", line 267, in iterator
    for row in compiler.results_iter():

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/sql/compiler.py", line 685, in results_iter
    for rows in self.execute_sql(MULTI):

  File "/usr/local/lib/python2.6/dist-packages/django/db/models/sql/compiler.py", line 740, in execute_sql
    cursor.execute(sql, params)

  File "/usr/local/lib/python2.6/dist-packages/django/db/backends/util.py", line 19, in execute
    return self.cursor.execute(sql, params)

  File "/usr/local/lib/python2.6/dist-packages/django/db/backends/postgresql_psycopg2/base.py", line 44, in execute
    return self.cursor.execute(query, args)

DatabaseError: relation "django_session" does not exist
LINE 1: ...ession_data", "django_session"."expire_date" FROM "django_se...
                                                             ^

Attachments (1)

12909.diff (1.8 KB) - added by crucialfelix@… 5 years ago.
django/core/handlers/wsgi.py handle exception thrown from middleware

Download all attachments as: .zip

Change History (12)

comment:1 Changed 5 years ago by russellm

  • Component changed from django.contrib.sessions to Core framework
  • milestone 1.2 deleted
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Summary changed from Session Middleware ignores DEBUG setting - Potential Security Issue to Exceptions raised in response middleware don't invoke site 500/404 handlers.
  • Triage Stage changed from Unreviewed to Accepted

Correcting the title to remove the scaremongering. This isn't even remotely a security issue. There is nothing private or exploitable being released here.

On that note - it doesn't matter now, but *PLEASE* don't report security issues in Trac. [See Django's security policy http://docs.djangoproject.com/en/dev/internals/contributing/#id2] for instructions on how to report potential security problems.

Now - back to the ticket.

The issue here is that exceptions raised in a process_response component of a middleware don't invoke the 500 handling infrastructure.

Changed 5 years ago by crucialfelix@…

django/core/handlers/wsgi.py handle exception thrown from middleware

comment:2 Changed 5 years ago by crucialfelix@…

  • Cc crucialfelix@… added
  • Has patch set

comment:3 Changed 5 years ago by crucialfelix@…

side note to jhovanny:

Your server's 500 page should just say 500 Internal Error. I'm not sure how it could be displaying the python exception. The error would go to your server log.

Use paste to wrap django's wsgi for an added layer of protection. Django is not infallible. Spills happen, admins like to be notified.

from paste.exceptions.errormiddleware import ErrorMiddleware
application = ErrorMiddleware( django_wsgi, debug=False, error_email='crucialfelix@…', show_exceptions_in_wsgi_errors=True, from_address='admin@…',error_message='500 Internal Error' )

This gives a very sober and simple 500 error page for the user and emails me a full stack trace. Exceptions like these are rare. You can customize the 500 page a bit if you need to.

comment:4 Changed 4 years ago by lukeplant

  • Type set to Bug

comment:5 Changed 4 years ago by lukeplant

  • Severity set to Normal

comment:6 Changed 4 years ago by gwilson

  • Cc gary.wilson@… added

comment:7 Changed 4 years ago by julien

  • Description modified (diff)
  • Needs tests set

comment:8 Changed 3 years ago by aaugustin

  • UI/UX unset

Change UI/UX from NULL to False.

comment:9 Changed 3 years ago by aaugustin

  • Easy pickings unset

Change Easy pickings from NULL to False.

comment:10 Changed 3 years ago by kevin1024

Is this a duplicate of #12250

comment:11 Changed 2 years ago by aaugustin

  • Resolution set to duplicate
  • Status changed from new to closed

It is.

Note: See TracTickets for help on using tickets.
Back to Top