Open baynes opened 10 years ago
Seems to make sense (not to display error strings from internal errors on the website).
I'd like to work on that.
I'm inclined to agree with @baynes, internal server errors shouldn't happen, so letting plack handle it seems ok to me. Of course the priority should be to stop the internal server errors in the first place.
Perl errors (in Dancer outside routes) give a stack trace in the error page.
[Above using Apache with Fast CGI to talk to Plackup which runs dancer.]
The stack trace should not normally be included in the error response as it may leak information that could be used to attack the server. It should be logged to the logfile instead.
The relevant code is the eval in sub psgi_app in Dancer2::Core::Role::Server .
It would be OK to control the presence of the stack trace in the page by the "show_errors" configuration option. Ideally it would also use the same configurable error page as obtained by a Perl error during a route but that is not important and there might be issues if the error came from generating the error page.
One solution is not to use eval here at all, and let Plack do the error trapping. Then things like Plack::Middleware::StackTrace can be used as desired. This is quite acceptable as errors in Dancer code outside routes should be a very rare occurrence and would reduce the amount of code needed to be supported.