Full Stack traces enabled

[coldwaterq]

For security reasons it is best to disable full stack traces in the production version of the site.

For example requesting http://www.gw2spidy.com/item/69774 returns

in /var/sandbox/gw2spidy/vendor/silex/silex/src/Silex/Application.php line 334
at Application->abort('404', 'Page does not exist.') in /var/sandbox/gw2spidy/controllers/items.php line 86
at {closure}('69774')
at call_user_func_array(object(Closure), array('69774')) in /var/sandbox/gw2spidy/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/HttpKernel.php line 129
at HttpKernel->handleRaw(object(Request), '1') in /var/sandbox/gw2spidy/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/HttpKernel.php line 73
at HttpKernel->handle(object(Request), '1', true) in /var/sandbox/gw2spidy/vendor/silex/silex/src/Silex/Application.php line 509
at Application->handle(object(Request)) in /var/sandbox/gw2spidy/vendor/silex/silex/src/Silex/Application.php line 484
at Application->run() in /var/sandbox/gw2spidy/webroot/index.php line 93

This tells an attacker that you are running php, that the website is served from /var/sandbox/gw2spidy/. A great deal of folder structure is displayed, and a bit of how the code operates is disclosed from this one request. Using this with other errors could divulge security vulnerabilities that would otherwise not be known.

[coldwaterq]

changing "debug": true, to "debug: false, in /config/cnf/default.json on the production server should resolve the issue I believe.

[rubensayshi]

hmm yea, I probably enabled when trying to debug something and forgot to turn it off, thanks!