Opened 16 years ago

Closed 16 years ago

Last modified 13 years ago

#7471 closed (fixed)

Django serves exception tracebacks from 404 handlers

Reported by: Trevor Caira Owned by: Leah Culver
Component: Core (Other) Version: dev
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django will serve an exception traceback if your 404 handler raises an exception. The relevant part of django.core.handlers.base follows:

except http.Http404, e:
    if settings.DEBUG:
        from django.views import debug
        return debug.technical_404_response(request, e)
    else:
        callback, param_dict = resolver.resolve404()
        return callback(request, **param_dict)

If resolve404() raises any exception (such as an invalid block tag in the 404 template, or if the user has overriden handler404), Django does not suppress the exception and serve a 500 page; instead it simply serves the traceback. Note that this happens even if DEBUG is set to False.

This might catch someone by surprise if they launch their site without checking if 404 pages work with DEBUG turned off (i.e., they would see a traceback from this issue, but be expecting it).

Attachments (1)

patch-7471-no-tests.diff (1.6 KB ) - added by Leah Culver 16 years ago.
return handle_uncaught_exception for errors with the 404 handler

Download all attachments as: .zip

Change History (10)

comment:1 by Jeff Anderson, 16 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Marc Garcia, 16 years ago

milestone: 1.0

That's correct. And couldn't be difficult to fix. The problem that I found is what to do if the error exists in the 500 template.

in reply to:  2 comment:3 by Mihai Damian, 16 years ago

I think we need to define a hardcoded 500 template somewhere and use it as a last resort.

comment:4 by Leah Culver, 16 years ago

Owner: changed from nobody to Leah Culver
Status: newassigned

comment:5 by Karen Tracey <kmtracey@…>, 16 years ago

Possibly related: #6094. It has a pretty comprehensive patch to attempt to prevent exception tracebacks leaking out, but I don't know if it covered this case.

by Leah Culver, 16 years ago

Attachment: patch-7471-no-tests.diff added

return handle_uncaught_exception for errors with the 404 handler

comment:6 by Leah Culver, 16 years ago

Triage Stage: AcceptedReady for checkin

Modified get_response to handle 404 handler errors (handler404 view) with a generic 500 error. This displays the 500 page instead of a stack trace.

This is very difficult to write a stable test case for since it involves adding a custom handler404 that throws an exception in the root urls.py. This is easy to do by pointing handler404 to a view that does not exist. However, this is not a good thing to add to the test suite since it would mess up other test cases. I've tested this manually and Malcolm (mtreddinick) is okay with it not having a test case.

comment:7 by Leah Culver, 16 years ago

Karen - I think this falls in the general category of "exceptions that should be prettier" but isn't fixed by #6094.

comment:8 by Malcolm Tredinnick, 16 years ago

Resolution: fixed
Status: assignedclosed

(In [7988]) Fixed #7471 -- If the 400 response handler raises an exception, pass control to
the 500 handler (if that then raises an exception, it's just not your day).

Patch from Leah Culver.

comment:9 by Jacob, 13 years ago

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top