On Tue, 2011-08-30 at 14:01 -0500, Michael Merickel wrote: > The way weberror worked is that it'd dump the URL to the console, and > you could visit that url to see the traceback. I think this was fairly > reasonable.
Allowing access via a URL to a traceback display was a security risk if the URL that leads to the traceback console had debugging enabled. WebError with evalexc debugging was (and still is) a pretty big security hole as a result. Even the restriction of "requests to the debugger must come from 127.0.0.1" is not sufficient, as someone might inject something like the following into an otherwise innocuous public page: <img src="http://127.0.0.1:6543/debugtoolbar.execute?frm=-1&cmd=os.rmdir('/')" /> Currently pyramid_debugtoolbar is protected by the fact that we use something akin to a CSRF token (although not browser-session-based, just page-to-page) to prevent this. We're going to have to do some fancy footwork to get around it and still offer up a URL that leads to a debuggable page via the OS console. Possibly put the token in the query string I guess when we dump it to the console. That'd work. Or possibly folks that want this URL on the OS console are just going to need to live without interactive debugging; they might only have the ability to view the traceback in history instead of having a full-on debugger at the URL. In any case, it's going to require some obsessing over. - C > > > -- > > Michael > > > -- > You received this message because you are subscribed to the Google > Groups "pylons-discuss" group. > To post to this group, send email to pylons-discuss@googlegroups.com. > To unsubscribe from this group, send email to pylons-discuss > +unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
