On Thursday, August 28, 2003, at 10:32 AM, itamarst CVS wrote:
> log stderr and non-zero exit code in CGIs, don't show info to users as
> it is a security risk (closes issue #241)
We shouldn't swallow errors in these situations. If it's a security
risk, provide a way for the server administrator to turn it off, but
this is a _bad_ default.
If you doubt the wisdom of making this default, please consult any
number of Perl FAQs of the form:
Q. "I wrote a CGI and it works perfectly, but now I moved it to
another server and I get nothing but a "500 Internal Server Error"
page. How do I tell what went wrong!?!?!?"
A. Look in your apache logs.
Q. "I looked at my apache logs and nothing makes sense! How do I tell
what the error was??!"
Also, could you clarify the security risk of displaying stderr from CGI
scripts? I've never heard of a CGI that puts security-critical
information on stderr rather than stdout and makes it a risk to display