On Thursday, August 28, 2003, at 10:32 AM, itamarst CVS wrote:
log stderr and non-zero exit code in CGIs, don't show info to users as it is a security risk (closes issue #241)
We shouldn't swallow errors in these situations. If it's a security risk, provide a way for the server administrator to turn it off, but this is a _bad_ default.
If you doubt the wisdom of making this default, please consult any number of Perl FAQs of the form:
Q. "I wrote a CGI and it works perfectly, but now I moved it to another server and I get nothing but a "500 Internal Server Error" page. How do I tell what went wrong!?!?!?"
A. Look in your apache logs.
Q. "I looked at my apache logs and nothing makes sense! How do I tell what the error was??!"
Also, could you clarify the security risk of displaying stderr from CGI scripts? I've never heard of a CGI that puts security-critical information on stderr rather than stdout and makes it a risk to display to users.