Gossamer Forum: Products: Others: Gossamer Community: UACK! Debug always on?

Apr 1, 2003, 9:22 AM

maxpico

User (422 posts)

Apr 1, 2003, 9:22 AM

Post #1 of 9

Shortcut

UACK! Debug always on?

I tried an arbitrary query at community.cgi like community.cgi?do=show_user_profile
The script parses Fatal Error:
Invalid Request: show_user_profile

Stack Trace:
bla bla bla

That's harmful! How can I fix that? I'm using Beta 1 (please don't reask why I've not upgraded to beta 2 -I'm waiting for final release-)
Max
The one with Mac OS X Server 10.4 :)

Apr 1, 2003, 12:15 PM

Paul

Veteran (19537 posts)

Apr 1, 2003, 12:15 PM

Post #2 of 9

Shortcut

Re: [maxpico] UACK! Debug always on? In reply to

I just had a look in the source - didn't find anything to help you but did spot a typo in GT::Base...

>>
my $msg = " Perhaps you ment to call " . join (", or " => @poss) . ".\n" if (@poss);
<<

Apr 2, 2003, 2:42 AM

maxpico

User (422 posts)

Apr 2, 2003, 2:42 AM

Post #3 of 9

Shortcut

Re: [Paul] UACK! Debug always on? In reply to

So that's a big security issue because it displays all the paths to the cgi.
Can GT staff quickly fix that?
Thanks
Max
The one with Mac OS X Server 10.4 :)

Apr 2, 2003, 9:51 AM

yogi

Veteran (2199 posts)

Apr 2, 2003, 9:51 AM

Post #4 of 9

Shortcut

Re: [maxpico] UACK! Debug always on? In reply to

Remember it's still a beta version, and if you are testing the script, you want detailed error messages and stack traces.

Of course it's a security risk, but what is even a bigger security risk is running the software on a production server when you know it's a buggy beta version...

Ivan
-----
Iyengar Yoga Resources / GT Plugins

Apr 2, 2003, 9:56 AM

maxpico

User (422 posts)

Apr 2, 2003, 9:56 AM

Post #5 of 9

Shortcut

Re: [yogi] UACK! Debug always on? In reply to

The fact is that bugs like that shouldn't be in a beta version.
Max
The one with Mac OS X Server 10.4 :)

Apr 2, 2003, 12:54 PM

klauslovgreen

Enthusiast (671 posts)

Apr 2, 2003, 12:54 PM

Post #6 of 9

Shortcut

Re: [maxpico] UACK! Debug always on? In reply to

For what it is worth it seems to be fixed in Beta 2 - so a quick fix might be to upgrade.

Klaus

http://www.ameinfo.com

Apr 6, 2003, 7:16 PM

pugdog

Veteran (6956 posts)

Apr 6, 2003, 7:16 PM

Post #7 of 9

Shortcut

Re: [maxpico] UACK! Debug always on? In reply to

The point is, that debug code is _part_ of a beta, and is the only way to get bugs fixed. Beta's are not supposed to be used on production/public servers unless you know what you are doing.

Everyone is so used to "beta" software, they forget what it *really* is, and that Alex's beta's are better than most production verion 1.0 software, and his version 1.0 are usually more like 1.5's from most other companies. People rush to use "beta's" but they are still "betas". :)

There was EXTREME pressure on Alex to release Community early.

PUGDOG� Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.

Apr 7, 2003, 5:58 AM

maxpico

User (422 posts)

Apr 7, 2003, 5:58 AM

Post #8 of 9

Shortcut

Re: [pugdog] UACK! Debug always on? In reply to

The point is, that security harmful debug code should not be included on whatever beta.
Max
The one with Mac OS X Server 10.4 :)

Apr 7, 2003, 7:39 AM

Paul

Veteran (19537 posts)

Apr 7, 2003, 7:39 AM

Post #9 of 9

Shortcut

Re: [maxpico] UACK! Debug always on? In reply to

This is a quick untested fix. In Community.pm about 3/4 of the way down change:

Code:
sub comm_fatal { 
# ------------------------------------------------------------------- 
    $error = shift; # Set the global $Communtiy::error 
    require Carp; 
    Carp::croak $error; 
}

...to...

Code:
sub comm_fatal { 
# ------------------------------------------------------------------- 
    $error = shift; # Set the global $Communtiy::error 
    print $IN->header(); 
    print "An error occured: $error"; 
}

Last edited by:

Paul: Apr 7, 2003, 7:39 AM