#7471 closed (fixed)
Django serves exception tracebacks from 404 handlers
Reported by: | Trevor Caira | Owned by: | Leah Culver |
---|---|---|---|
Component: | Core (Other) | Version: | dev |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Django will serve an exception traceback if your 404 handler raises an exception. The relevant part of django.core.handlers.base follows:
except http.Http404, e: if settings.DEBUG: from django.views import debug return debug.technical_404_response(request, e) else: callback, param_dict = resolver.resolve404() return callback(request, **param_dict)
If resolve404() raises any exception (such as an invalid block tag in the 404 template, or if the user has overriden handler404), Django does not suppress the exception and serve a 500 page; instead it simply serves the traceback. Note that this happens even if DEBUG is set to False.
This might catch someone by surprise if they launch their site without checking if 404 pages work with DEBUG turned off (i.e., they would see a traceback from this issue, but be expecting it).
Attachments (1)
Change History (10)
comment:1 by , 17 years ago
Triage Stage: | Unreviewed → Accepted |
---|
follow-up: 3 comment:2 by , 17 years ago
milestone: | → 1.0 |
---|
comment:3 by , 16 years ago
I think we need to define a hardcoded 500 template somewhere and use it as a last resort.
comment:4 by , 16 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:5 by , 16 years ago
Possibly related: #6094. It has a pretty comprehensive patch to attempt to prevent exception tracebacks leaking out, but I don't know if it covered this case.
by , 16 years ago
Attachment: | patch-7471-no-tests.diff added |
---|
return handle_uncaught_exception for errors with the 404 handler
comment:6 by , 16 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
Modified get_response to handle 404 handler errors (handler404 view) with a generic 500 error. This displays the 500 page instead of a stack trace.
This is very difficult to write a stable test case for since it involves adding a custom handler404 that throws an exception in the root urls.py. This is easy to do by pointing handler404 to a view that does not exist. However, this is not a good thing to add to the test suite since it would mess up other test cases. I've tested this manually and Malcolm (mtreddinick) is okay with it not having a test case.
comment:7 by , 16 years ago
Karen - I think this falls in the general category of "exceptions that should be prettier" but isn't fixed by #6094.
comment:8 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
That's correct. And couldn't be difficult to fix. The problem that I found is what to do if the error exists in the 500 template.