fix: stop leaking stack traces to clients in HTTP 500 responses

Tracebacks exposed file paths, module names, and potentially secret values from local variables. Now logged server-side only; clients receive a generic error message. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 06:41:32 -07:00
parent 3f9d1da0e2
commit 1b1cd124f6
4 changed files with 42 additions and 4 deletions
--- a/api/upload.py
+++ b/api/upload.py
@@ -74,4 +74,5 @@ def handle_upload(handler):
        dest.write_bytes(file_bytes)
        return j(handler, {'filename': safe_name, 'path': str(dest), 'size': dest.stat().st_size})
    except Exception as e:
-        return j(handler, {'error': str(e), 'trace': _tb.format_exc()}, status=500)
+        print('[webui] upload error: ' + _tb.format_exc(), flush=True)
+        return j(handler, {'error': 'Upload failed'}, status=500)