[google-appengine] The perils of deploying Python applications in Debug mode

Mon, 13 Sep 2010 14:55:02 -0700 

Hey everyone,

I just wanted to do a quick post to remind everyone writing Python
applications that you'll probably want to turn Debug mode off when you
deploy your applications. This code snippet that ships with Webapp:

application = webapp.WSGIApplication([
   ('/', MainPage)
], debug=True)

... should look like this before deployment:

application = webapp.WSGIApplication([
   ('/', MainPage)
])

(You can also explicitly set debug=False, but this is a default value)

Most of the time, forgetting to do this is pretty harmless. However, by not
turning the debug flag off, you risk exposing possible sensitive keys or
information to an end user looking at your site from a web view. Consider
the following micro application:

http://pastie.org/1156814

If we leave the debug flag set to true and the exception is raised, we get a
traceback that looks like this:

Traceback (most recent call last):
  File 
"/Users/ikai/Library/appengine/google_appengine_1_3_5/google/appengine/ext/webapp/__init__.py",
line 511, in __call__
    handler.get(*groups)
  File "/Users/ikai/Documents/python/exporesource/main.py", line 21, in get
    wrapper(True)
  File "/Users/ikai/Documents/python/exporesource/main.py", line 16, in wrapper
    sensitive("[email protected]", "password", throws_exception)
  File "/Users/ikai/Documents/python/exporesource/main.py", line 11,
in sensitive
    raise CrazyException()
CrazyException


Oops, we just exposed a password. This behavior is documented here:

http://code.google.com/appengine/docs/python/tools/webapp/wsgiapplicationclass.html

It's fairly unlikely you'll have plaintext strings in your code like in the
example, but it definitely does happen (
http://news.ycombinator.com/item?id=1685615). We'll update the docs to be
more explicit about this behavior, but in the meantime, we've just decided
to post in the groups to let everyone know.


-- 
Ikai Lan
Developer Programs Engineer, Google App Engine
Blog: http://googleappengine.blogspot.com
Twitter: http://twitter.com/app_engine
Reddit: http://www.reddit.com/r/appengine

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/google-appengine?hl=en.

Reply via email to