Ah, ok I should explain more what I'm after. The traceback is always
provided in the response, but the Trac code filters it out. For example,
one can do:
curl -s "trac-site/bad-url"
And in the server response will be a traceback, like:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/trac/web/main.py",
line 610, in dispatch_request
dispatcher.dispatch(req)
[...]
Nessus sees the path information in the traceback and calls it a
vulnerability. ( https://www.tenable.com/plugins/nessus/57640 )
I'd like to disable the traceback unless I do something like set "debug=1"
in trac.ini or something similar.
As of now, I've manually edited "site-packages/trac/__init__.py" to include:
import sys
sys.tracebacklimit=0
Which does the trick. However, that change will be overwritten for every
new install/upgrade.
On Wednesday, February 1, 2023 at 4:10:34 PM UTC-5 RjOllos wrote:
> On Wednesday, February 1, 2023 at 3:55:09 PM UTC-5 [email protected] wrote:
>
> Is there already a supported way to disable tracebacks unless a debug flag
> is set; similar to
> https://stackoverflow.com/questions/27674602/hide-traceback-unless-a-debug-flag-is-set
>
> ?
>
> Do you mean tracebacks rendered on internal errors? I believe those should
> only be shown for users with TRAC_ADMIN permission.
>
> https://trac.edgewall.org/browser/tags/trac-1.4.3/trac/web/main.py?marks=736#L719
>
>
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/trac-users/4cd6d320-d32e-4bb8-944b-595c9d6b22c2n%40googlegroups.com.
