disabling details in tracebacks?

[Robert Jacobson]

Is there already a supported way to disable tracebacks unless a debug flag is set; similar to https://stackoverflow.com/questions/27674602/hide-traceback-unless-a-debug-flag-is-set ? 

[RjOllos]

On Wednesday, February 1, 2023 at 3:55:09 PM UTC-5 ter...@gmail.com wrote:

Is there already a supported way to disable tracebacks unless a debug flag is set; similar to https://stackoverflow.com/questions/27674602/hide-traceback-unless-a-debug-flag-is-set ? 

Do you mean tracebacks rendered on internal errors? I believe those should only be shown for users with TRAC_ADMIN permission.

https://trac.edgewall.org/browser/tags/trac-1.4.3/trac/web/main.py?marks=736#L719 

[Robert Jacobson]

Ah, ok I should explain more what I'm after.  The traceback is always provided in the response, but the Trac code filters it out.    For example, one can do:

curl -s "trac-site/bad-url"

And in the server response will be a traceback, like:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/trac/web/main.py", line 610, in dispatch_request
    dispatcher.dispatch(req)

[...]

Nessus sees the path information in the traceback and calls it a vulnerability.   ( https://www.tenable.com/plugins/nessus/57640 ) 

I'd like to disable the traceback unless I do something like set "debug=1" in trac.ini or something similar.

As of now, I've manually edited "site-packages/trac/__init__.py" to include:

import sys
sys.tracebacklimit=0

Which does the trick.  However, that change will be overwritten for every new install/upgrade.