Small addition to hgweb.fcgi
Mitar
mmitar at gmail.com
Sun Mar 13 05:42:24 CDT 2011
Hi!
In some older versions of flup (namely currently stable version in
Debian) debug mode is enabled by default. This was changed two years
ago but it is how it is:
http://trac.saddi.com/flup/changeset/93%3Ac3894d7dd583
The problem is that in default mode flup enables cgitb for printing
stack traces. Which could leak security sensitive information.
My proposal is that debug mode is explicitly disabled in hgweb.fcgi by
changing the last line to:
WSGIServer(application, debug=False).run()
If somebody wants stack traces he/she can uncomment lines above, which
enable cgitb, or set debug explicitly to True. Maybe we could even
remove those two lines above for enabling cgitb and leave to flup to
do that, if user wants by explicitly setting debug to True.
So currently, with older flup versions, cgitb can be enabled twice,
via two separate ways. And more importantly it stays enabled even if
you uncomment that import in lines above.
Mitar
More information about the Mercurial-devel
mailing list