[Tutor] Value of tracebacks to malicious attackers?
Steven D'Aprano
steve at pearwood.info
Mon Jan 25 05:05:42 EST 2016
On Sat, Jan 23, 2016 at 10:52:27PM -0600, boB Stepp wrote:
> From page 202 of "Python Crash Course": "..., but it's also not a
> good idea to let users see tracebacks.
[...]
> How much concern do you give this in designing and implementing your
> production code?
Me personally? Absolutely none at all, as my audience is (1) mostly me;
(2) or other Python developers; (3) assumed to be reasonably technical;
and (4) running the code on their own machine. There's nothing they can
learn from the traceback that they don't already have access to.
But on occasions where I am writing for non-technical uses (i.e. an
application rather than a library) I would handle it something like
this in the main application:
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
log.log("keyboard interrupt")
sys.exit()
except SystemExit as e:
log.log(e)
raise
else Exception as e:
log.log(e)
# show a GUI alert, or at least print a message
# to the screen
display_unexpected_error(e)
sys.exit(1)
or something like that. The point is to catch any unhandled exception,
log it, possibly notify the user that something bad happened, and then
exit. The traceback never gets shown.
--
Steve
More information about the Tutor
mailing list