If the only concern here is that debugging is a powerful feature that needs to be carefully controlled, then surely a setting to enable it is the right way to go? After all, many security experts will tell you that the traceback handler we have now is a security hole, not because it lets you execute code, but because it reveals inner workings of the server, which can expose vulnerabilities.
Production servers need to have their settings carefully set. That is true now, and it will be true if we add a DEBUGGER=True setting to enable this more powerful feature. I say we add the power and let the administrators control where it appears. --Ned. Malcolm Tredinnick wrote: > Hi, > > On Mon, 2007-04-09 at 04:33 -0700, jedie wrote: > >> Why has django not a interactive AJAX traceback debugger? >> >> Using a interactive debugger you can play with objects at any point in >> the error traceback. >> >> I known, a web shell is a open security hole. But the interactive >> debugger should only running with the development Web server and if >> debugging is on. >> The development server is not for production use. So there is IMHO no >> problem. >> > [...] > >> Existing django ticket: http://code.djangoproject.com/ticket/3527 >> > > The reason I originally closed that ticket as "wontfix" -- and I still > think it's the right reasoning -- is because the debug traceback handler > is not associated with whether or not the development server is running. > > Instead, it is triggered by whether or not DEBUG is True. Sometimes you > want to have DEBUG=True in production environments, whether for just a > little period of time -- to debug something -- or for longer. So I am > reluctant to put in something that might be a security hole if there's > any chance of it being run on a production site. > > Regards, > Malcolm > > > > > > > > > -- Ned Batchelder, http://nedbatchelder.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
