Opened 15 years ago
Closed 12 years ago
#12909 closed Bug (duplicate)
Exceptions raised in response middleware don't invoke site 500/404 handlers.
Reported by: | jhovanny | Owned by: | nobody |
---|---|---|---|
Component: | Core (Other) | Version: | 1.2-beta |
Severity: | Normal | Keywords: | |
Cc: | crucialfelix@…, gary.wilson@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | yes | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
If there is an error connecting to the session database, the session middleware throws an Exception that's visible regardless of the DEBUG setting. The stack trace appears in a blank page (non-conforming to the standard debug template). To reproduce this ticket, drop the django_session table and try to login to any django application. The expected behavior is not to show a stack trace when DEBUG=False
Traceback (most recent call last): File "/usr/local/lib/python2.6/dist-packages/django/core/servers/basehttp.py", line 280, in run self.result = application(self.environ, self.start_response) File "/usr/local/lib/python2.6/dist-packages/django/core/servers/basehttp.py", line 674, in __call__ return self.application(environ, start_response) File "/usr/local/lib/python2.6/dist-packages/django/core/handlers/wsgi.py", line 245, in __call__ response = middleware_method(request, response) File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/middleware.py", line 36, in process_response request.session.save() File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/db.py", line 57, in save session_key = self.session_key, File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/base.py", line 152, in _get_session_key self._session_key = self._get_new_session_key() File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/base.py", line 144, in _get_new_session_key if not self.exists(session_key): File "/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/db.py", line 30, in exists Session.objects.get(session_key=session_key) File "/usr/local/lib/python2.6/dist-packages/django/db/models/manager.py", line 132, in get return self.get_query_set().get(*args, **kwargs) File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py", line 334, in get num = len(clone) File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py", line 79, in __len__ self._result_cache = list(self.iterator()) File "/usr/local/lib/python2.6/dist-packages/django/db/models/query.py", line 267, in iterator for row in compiler.results_iter(): File "/usr/local/lib/python2.6/dist-packages/django/db/models/sql/compiler.py", line 685, in results_iter for rows in self.execute_sql(MULTI): File "/usr/local/lib/python2.6/dist-packages/django/db/models/sql/compiler.py", line 740, in execute_sql cursor.execute(sql, params) File "/usr/local/lib/python2.6/dist-packages/django/db/backends/util.py", line 19, in execute return self.cursor.execute(sql, params) File "/usr/local/lib/python2.6/dist-packages/django/db/backends/postgresql_psycopg2/base.py", line 44, in execute return self.cursor.execute(query, args) DatabaseError: relation "django_session" does not exist LINE 1: ...ession_data", "django_session"."expire_date" FROM "django_se... ^
Attachments (1)
Change History (12)
comment:1 by , 15 years ago
Component: | django.contrib.sessions → Core framework |
---|---|
milestone: | 1.2 |
Summary: | Session Middleware ignores DEBUG setting - Potential Security Issue → Exceptions raised in response middleware don't invoke site 500/404 handlers. |
Triage Stage: | Unreviewed → Accepted |
by , 14 years ago
Attachment: | 12909.diff added |
---|
django/core/handlers/wsgi.py handle exception thrown from middleware
comment:2 by , 14 years ago
Cc: | added |
---|---|
Has patch: | set |
comment:3 by , 14 years ago
side note to jhovanny:
Your server's 500 page should just say 500 Internal Error. I'm not sure how it could be displaying the python exception. The error would go to your server log.
Use paste to wrap django's wsgi for an added layer of protection. Django is not infallible. Spills happen, admins like to be notified.
from paste.exceptions.errormiddleware import ErrorMiddleware
application = ErrorMiddleware( django_wsgi, debug=False, error_email='crucialfelix@…', show_exceptions_in_wsgi_errors=True, from_address='admin@…',error_message='500 Internal Error' )
This gives a very sober and simple 500 error page for the user and emails me a full stack trace. Exceptions like these are rare. You can customize the 500 page a bit if you need to.
comment:4 by , 14 years ago
Type: | → Bug |
---|
comment:5 by , 14 years ago
Severity: | → Normal |
---|
comment:6 by , 14 years ago
Cc: | added |
---|
comment:7 by , 14 years ago
Description: | modified (diff) |
---|---|
Needs tests: | set |
Correcting the title to remove the scaremongering. This isn't even remotely a security issue. There is nothing private or exploitable being released here.
On that note - it doesn't matter now, but *PLEASE* don't report security issues in Trac. [See Django's security policy http://docs.djangoproject.com/en/dev/internals/contributing/#id2] for instructions on how to report potential security problems.
Now - back to the ticket.
The issue here is that exceptions raised in a process_response component of a middleware don't invoke the 500 handling infrastructure.