1

If there is an error in a route function, I am seeing the Traceback log data being sent out to the client. It seems like it could be a potential security risk.

A simple example:

@app.route('/uploadFile', methods = ['GET', 'POST'])
def uploadFile():
    if request.method == 'POST':
        if True:
            raise Exception('Snuffy!')

On the HTML side I have form targeting a hidden iframe, which iframe has an event to print to a textbox intended for custom status messages from the server, but not intended to blurt out Python errors, which is what I am now seeing. I could filter it out, but people could still see it with http inspect tool.

How is the Traceback message getting routed to the client, and how do I stop it? Is this a Werzeug thing?

Here is what is getting printing to the browser status box:

builtins.Exception Exception: Snuffy! Traceback (most recent call last) File "C:\Users\(removed)\AppData\Roaming\Python\Python36\site-packages\flask\app.py", line 2309, in __call__ def __call__(self, environ, start_response): """The WSGI server calls the Flask application object as the WSGI application. This calls :meth:`wsgi_app` which can be wrapped to applying middleware.""" return self.wsgi_app(environ, start_response) def __repr__(self): 
... (removed) ...
"C:\Users\Documents\(removed)\run.py", line 94, in uploadFile raise Exception('Snuffy!') Exception: Snuffy! The debugger caught an exception in your WSGI application. You can now look at the traceback which led to the error. To switch between the interactive traceback and the plaintext one, you can click on the "Traceback" headline. From the text traceback you can also create a paste of it. For code execution mouse-over the frame you want to debug and click on the console icon on the right side.You can execute arbitrary Python code in the stack frames and there are some extra helpers available for introspection:dump() shows all variables in the framedump(obj) dumps all that's known about the object Brought to you by DON'T PANIC, your friendly Werkzeug powered traceback interpreter. Console Locked The console is locked and needs to be unlocked by entering the PIN. You can find the PIN printed out on the standard output of your shell that runs the server. PIN:

After which my custom status messages pick back up again.

Thanks!

bleand
  • 366
  • 2
  • 14
Mark Seagoe
  • 480
  • 8
  • 15
  • OK so it appears from the proposed duplicate links that Werkzeug is insecure and just don't use it. It wasn't exactly what I was hoping to hear (I figured maybe there was some Werkzeug configuration to stop the behavior), but if not I suppose I'll just have to deal with it. – Mark Seagoe Apr 16 '19 at 19:58
  • The traceback being leaked back to the client is a result of the Flask app.debug flag being True. The reason they say not to use that in production is that it only supports a single thread. – Mark Seagoe Apr 24 '19 at 21:59

0 Answers0