[Tutor] Value of tracebacks to malicious attackers?

Steven D'Aprano steve at pearwood.info
Mon Jan 25 05:05:42 EST 2016


On Sat, Jan 23, 2016 at 10:52:27PM -0600, boB Stepp wrote:
> From page 202 of "Python Crash Course":  "..., but it's also not a
> good idea to let users see tracebacks.
[...]
> How much concern do you give this in designing and implementing your
> production code?  

Me personally? Absolutely none at all, as my audience is (1) mostly me; 
(2) or other Python developers; (3) assumed to be reasonably technical; 
and (4) running the code on their own machine. There's nothing they can 
learn from the traceback that they don't already have access to.

But on occasions where I am writing for non-technical uses (i.e. an 
application rather than a library) I would handle it something like 
this in the main application:


if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        log.log("keyboard interrupt")
        sys.exit()
    except SystemExit as e:
        log.log(e)
        raise
    else Exception as e:
        log.log(e)
        # show a GUI alert, or at least print a message
        # to the screen
        display_unexpected_error(e)
        sys.exit(1)


or something like that. The point is to catch any unhandled exception, 
log it, possibly notify the user that something bad happened, and then 
exit. The traceback never gets shown.


-- 
Steve


More information about the Tutor mailing list