Sabo/webui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: stop leaking stack traces to clients in HTTP 500 responses

Browse Source 
Tracebacks exposed file paths, module names, and potentially secret
values from local variables. Now logged server-side only; clients
receive a generic error message.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Nathan Esquenazi
2026-04-03 06:41:32 -07:00
parent 3f9d1da0e2
commit 1b1cd124f6
4 changed files with 42 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server.py
View File

@@ -40,7 +40,8 @@ class Handler(BaseHTTPRequestHandler):
if result is False:
return j(self, {'error': 'not found'}, status=404)
except Exception as e:
return j(self, {'error': str(e), 'trace': traceback.format_exc()}, status=500)
print(f'[webui] ERROR {self.command} {self.path}\n' + traceback.format_exc(), flush=True)
return j(self, {'error': 'Internal server error'}, status=500)
def do_POST(self):
self._req_t0 = time.time()
@@ -51,7 +52,8 @@ class Handler(BaseHTTPRequestHandler):
if result is False:
return j(self, {'error': 'not found'}, status=404)
except Exception as e:
return j(self, {'error': str(e), 'trace': traceback.format_exc()}, status=500)
print(f'[webui] ERROR {self.command} {self.path}\n' + traceback.format_exc(), flush=True)
return j(self, {'error': 'Internal server error'}, status=500)
def main():