烧瓶泄漏回溯消息给客户端

时间:2019-04-16 18:12:09

标签: python security flask werkzeug

如果路由功能中有错误,我会看到回溯日志数据已发送到客户端。看来这可能是潜在的安全风险。

一个简单的例子:

@app.route('/uploadFile', methods = ['GET', 'POST'])
def uploadFile():
    if request.method == 'POST':
        if True:
            raise Exception('Snuffy!')

在HTML方面,我有一个针对隐藏的iframe的表单,该iframe具有一个要打印到文本框的事件,该文本框旨在用于来自服务器的自定义状态消息,但不旨在模糊Python错误,这就是我现在所看到的。我可以过滤掉它,但是人们仍然可以使用http inspect工具看到它。

回溯消息如何路由到客户端,如何停止它?这是Werzeug的事吗?

以下是正在打印到浏览器状态框的内容:

builtins.Exception Exception: Snuffy! Traceback (most recent call last) File "C:\Users\(removed)\AppData\Roaming\Python\Python36\site-packages\flask\app.py", line 2309, in __call__ def __call__(self, environ, start_response): """The WSGI server calls the Flask application object as the WSGI application. This calls :meth:`wsgi_app` which can be wrapped to applying middleware.""" return self.wsgi_app(environ, start_response) def __repr__(self): 
... (removed) ...
"C:\Users\Documents\(removed)\run.py", line 94, in uploadFile raise Exception('Snuffy!') Exception: Snuffy! The debugger caught an exception in your WSGI application. You can now look at the traceback which led to the error. To switch between the interactive traceback and the plaintext one, you can click on the "Traceback" headline. From the text traceback you can also create a paste of it. For code execution mouse-over the frame you want to debug and click on the console icon on the right side.You can execute arbitrary Python code in the stack frames and there are some extra helpers available for introspection:dump() shows all variables in the framedump(obj) dumps all that's known about the object Brought to you by DON'T PANIC, your friendly Werkzeug powered traceback interpreter. Console Locked The console is locked and needs to be unlocked by entering the PIN. You can find the PIN printed out on the standard output of your shell that runs the server. PIN:

此后,我的自定义状态消息又重新出现。

谢谢!

0 个答案:

没有答案