Thanks Ikai for that. Do you also have any stats on what is the performance overhead if the debugger is left on?
On Tue, Sep 14, 2010 at 3:24 AM, Ikai Lan (Google) <[email protected]<ikai.l%[email protected]> > wrote: > Hey everyone, > > I just wanted to do a quick post to remind everyone writing Python > applications that you'll probably want to turn Debug mode off when you > deploy your applications. This code snippet that ships with Webapp: > > application = webapp.WSGIApplication([ > ('/', MainPage) > ], debug=True) > > ... should look like this before deployment: > > application = webapp.WSGIApplication([ > ('/', MainPage) > ]) > > (You can also explicitly set debug=False, but this is a default value) > > Most of the time, forgetting to do this is pretty harmless. However, by not > turning the debug flag off, you risk exposing possible sensitive keys or > information to an end user looking at your site from a web view. Consider > the following micro application: > > http://pastie.org/1156814 > > If we leave the debug flag set to true and the exception is raised, we get > a traceback that looks like this: > > Traceback (most recent call last): > File > "/Users/ikai/Library/appengine/google_appengine_1_3_5/google/appengine/ext/webapp/__init__.py", > line 511, in __call__ > handler.get(*groups) > File "/Users/ikai/Documents/python/exporesource/main.py", line 21, in get > wrapper(True) > File "/Users/ikai/Documents/python/exporesource/main.py", line 16, in > wrapper > sensitive("[email protected]", "password", throws_exception) > File "/Users/ikai/Documents/python/exporesource/main.py", line 11, in > sensitive > raise CrazyException() > CrazyException > > > Oops, we just exposed a password. This behavior is documented here: > > > http://code.google.com/appengine/docs/python/tools/webapp/wsgiapplicationclass.html > > It's fairly unlikely you'll have plaintext strings in your code like in the > example, but it definitely does happen ( > http://news.ycombinator.com/item?id=1685615). We'll update the docs to be > more explicit about this behavior, but in the meantime, we've just decided > to post in the groups to let everyone know. > > > -- > Ikai Lan > Developer Programs Engineer, Google App Engine > Blog: http://googleappengine.blogspot.com > Twitter: http://twitter.com/app_engine > Reddit: http://www.reddit.com/r/appengine > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
