ISFDB Bibliographic Tools / Feature Requests / #1689 Python3: /common/isfdb.py Security Fixes

#1689 Python3: /common/isfdb.py Security Fixes

Milestone: Approved

Status: open

Owner: Al von Ruff

Labels: None

Priority: 5

Updated: 2026-02-25

Created: 2026-02-25

Creator: Al von Ruff

Private: No

cgitb — production information leak

cgitb.enable() was unconditionally active, causing unhandled exceptions to render full tracebacks — including local variable values, file paths, and source code — into the HTTP response. A GLOBAL_DEBUG flag has been added to localdefs.py (default 0). cgitb now only enables when GLOBAL_DEBUG = 1, allowing developers to activate it on local instances without touching application code. The localdefs import was also moved above the cgitb block to ensure the flag is in scope when evaluated.

Bug: self.parameter typo in _DisplayBiblioError

self.parameter[0] referenced a non-existent attribute — the correct name is self.parameters. The bare except: clause was silently swallowing the resulting AttributeError, causing error pages in the cgi-bin directory to always display with record_id = 0 rather than the actual record ID. Fixed the typo and narrowed the exception to except (IndexError, ValueError, TypeError):.

Unescaped message in error display functions

All three DisplayError methods injected the message argument raw into an h3 tag. Messages originate from internal code rather than direct user input, but for defence in depth and consistency with how page titles are handled elsewhere, all three now pass message through ISFDBText() before output. A local from library import ISFDBText import is used in each method, following the existing pattern in PrintHTMLHeaders.

allowed_values = [] mutable default argument in Parameter

The default value for allowed_values was a mutable list, shared across all calls. Changed to None. The existing if allowed_values and guard already handles None correctly, so no call sites are affected.

Non-idiomatic raise for control flow in Parameter

Two try blocks used bare raise (outside an except handler) to force a fall-through to the except clause — an obscure pattern that works but is hard to read. Both replaced with conventional alternatives: the parameter-fetch block now uses self.parameters[param_number] or '' with except IndexError, and the integer-validation block moves the value < 0 check outside the try so except (ValueError, TypeError) only catches genuine
conversion failures.

Discussion

Description has changed:

Diff:

--- old
+++ new
@@ -8,7 +8,7 @@

 **Unescaped message in error display functions**

-All three _Display*Error methods injected the message argument raw into an &lt;h3&gt; tag. Messages originate from internal code rather than direct user input, but for defence in depth and consistency with how page titles are handled elsewhere, all three now pass message through ISFDBText() before output. A local from library import ISFDBText import is used in each method, following the existing pattern in PrintHTMLHeaders.
+All three DisplayError methods injected the message argument raw into an h3 tag. Messages originate from internal code rather than direct user input, but for defence in depth and consistency with how page titles are handled elsewhere, all three now pass message through ISFDBText() before output. A local from library import ISFDBText import is used in each method, following the existing pattern in PrintHTMLHeaders.

 **allowed_values = [] mutable default argument in Parameter**

Anonymous

Add attachments
Cancel
You seem to have CSS turned off. Please don't fill out this field.

You seem to have CSS turned off. Please don't fill out this field.

Anonymous

Python3: /common/isfdb.py Security Fixes

Group

Searches

Help

#1689 Python3: /common/isfdb.py Security Fixes

Discussion