I have always hated the tend to display users error messages that included information about what when wrong. What the heck do they care? They aren't going to fix it. They just want to get what they were after. Also there is a very real security hole with doing this. You may end up telling the users where on the file system things are, information about the database, atabase user or server which could give them an idea of what your backend is like (yeah yeah yeah,
security through obscurity blah blah blah... but this is a GPLed package and there is no need in lighting the path to the window that the robber can break).
To this end I modified Metadot to email the account listed in 'Mail sender address' (this could easily be changed to something else) the
text of the error message as well as information about the request (ENV and CGI::param info). It then gives the user a generic 'we have a problem Houston' message.
In Glo.pm add this (no need to export it, that just eats up memory):
sub handle_errors
{
my $msg = "***\n*** Error message:\n***\n" . shift;
my $env = join("\n",
# I am using Mail::Sendmail, I like it and using
# Metadot's was causing an error. This worked so I didn't
# look in to the problem further.
use Mail::Sendmail;
use Text::Wrapper;
my %msg = ('From' => $GA{'sender'},
'To' => $GA{'sender'},
'Subject' => "PORTAL FATAL ERROR: " . $ENV{'SERVER_NAME'} .
$ENV{'REQUEST_URI'},
'Message' => join("\n\n", $msg, $env, $prm));
sendmail %msg;
print "The server encountered and was unable to complete your request.
The appropriate people have been notified and will be looking in to the error soon.
Please try your request again.
";
exit 0;
}
Then in Glo::printError:
sub printError {
my $em=shift;
debugMsg(3, "printError()");
&Glo::handle_errors($em);
# You can keep the rest if you want... this doesn't return
}
Finally in index.pl and userchannel.pl:
use CGI::Carp qw(fatalsToBrowser);
BEGIN {
CGI::Carp::set_message(\&Glo::handle_errors);
}
Then to make your life a little easier you may want to set up procmail to filter those messages (which is really easy with the standard subject line).
I could make a patch of this if people want it, I am too tired to do that tonight and my versions are already updated so I don't really need one.
I haven't done much testing yet but it was working in my simple tests. Over the next few days I will be able to do more.
Later.
Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have always hated the tend to display users error messages that included information about what when wrong. What the heck do they care? They aren't going to fix it. They just want to get what they were after. Also there is a very real security hole with doing this. You may end up telling the users where on the file system things are, information about the database, atabase user or server which could give them an idea of what your backend is like (yeah yeah yeah,
security through obscurity blah blah blah... but this is a GPLed package and there is no need in lighting the path to the window that the robber can break).
To this end I modified Metadot to email the account listed in 'Mail sender address' (this could easily be changed to something else) the
text of the error message as well as information about the request (ENV and CGI::param info). It then gives the user a generic 'we have a problem Houston' message.
In Glo.pm add this (no need to export it, that just eats up memory):
sub handle_errors
{
my $msg = "***\n*** Error message:\n***\n" . shift;
my $env = join("\n",
"***\n*** ENVIRONMENT:\n***", map {$_ . "__=>__$ENV{$_}"}
sort({lc($a) cmp lc($b)} keys %ENV));
my $cgi = CGI->new();
my $prm = join("\n",
"***\n*** PARAMETERS:\n***", map {$_ . "__=>__" . $cgi->param($_)}
sort({lc($a) cmp lc($b)} $cgi->param() ));
# I am using Mail::Sendmail, I like it and using
# Metadot's was causing an error. This worked so I didn't
# look in to the problem further.
use Mail::Sendmail;
use Text::Wrapper;
my %msg = ('From' => $GA{'sender'},
'To' => $GA{'sender'},
'Subject' => "PORTAL FATAL ERROR: " . $ENV{'SERVER_NAME'} .
$ENV{'REQUEST_URI'},
'Message' => join("\n\n", $msg, $env, $prm));
sendmail %msg;
print "The server encountered and was unable to complete your request.
The appropriate people have been notified and will be looking in to the error soon.
Please try your request again.
";
exit 0;
}
Then in Glo::printError:
sub printError {
my $em=shift;
debugMsg(3, "printError()");
&Glo::handle_errors($em);
# You can keep the rest if you want... this doesn't return
}
Finally in index.pl and userchannel.pl:
use CGI::Carp qw(fatalsToBrowser);
BEGIN {
CGI::Carp::set_message(\&Glo::handle_errors);
}
Then to make your life a little easier you may want to set up procmail to filter those messages (which is really easy with the standard subject line).
I could make a patch of this if people want it, I am too tired to do that tonight and my versions are already updated so I don't really need one.
I haven't done much testing yet but it was working in my simple tests. Over the next few days I will be able to do more.
Later.
Paul