Code

Opened 8 years ago

Closed 8 years ago

#1979 closed enhancement (wontfix)

[patch] Modify debug.py to show database queries on 500 errors

Reported by: Simon Greenhill, dev@… Owned by: adrian
Component: Core (Other) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Patch to list any database queries that have been executed ( i.e. stored in django.db.connection.queries ) in a 500 Internal Server Error.

Attachments (1)

debug_queries.diff (1.4 KB) - added by Simon Greenhill, dev@… 8 years ago.

Download all attachments as: .zip

Change History (6)

Changed 8 years ago by Simon Greenhill, dev@…

comment:1 Changed 8 years ago by mtredinnick

Maybe we just want to trim this to the last three, five or ten queries? The connection.queries list could be hundreds of elements long, even in development.

comment:2 Changed 8 years ago by adrian

I'm not sure this is a good idea: it's a possible security hole. I've seen way too many public-facing Django sites with DEBUG set to True, which gives the public access to the debug pages, so I'd rather not display raw database queries in the debug error pages.

Maybe, as a compromise, the queries could be displayed only for requests from localhost? Or would that defeat the purpose?

comment:3 Changed 8 years ago by Simon Greenhill, dev@…

Adrian: I didn't think of that, but the entire Debug output is a security hole on a production website anyway - path info, cookie info, session id's, the region of code that died, etc are all listed. If anyone's stupid enough to run a production website with Debug turned on, then they kind of deserve what they get.

However, either locking it down to localhost only, or maybe have a setting to enable it (default -> disabled)?

comment:4 Changed 8 years ago by adrian

Closing because it's too much of a possible security hole.

comment:5 Changed 8 years ago by adrian

  • Resolution set to wontfix
  • Status changed from new to closed

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.