We got a lot of errors like this: https://gist.github.com/peterbe/432bff89951efc483f86 That's a fuzzer that GETs something like this: /report/list/partials/reports/?sort=<VERY INVALID STRING> The middleware correctly rejects them but we let it become a full blown 500 error on the webapp.  I think we should carry these error codes onto through the web app. All 400 errors in the middleware are "expected" so they will never leak anything unexpected. In Django 1.5 you can't do something like `raise Http400()` (but you can do `raise Http404()`) that will automatically return a response. However we can catch all response errors in a middleware. What say you?  https://github.com/mozilla/socorro/blob/master/webapp-django/crashstats/crashstats/models.py#L313-L314
Rob, Adrian, What do you think? This would *greatly* reduce the amount of wolf-crying errors in errormill. Lars, Can you think of ANY reason why a middleware implementation class might raise a Bad Request with a message that should NOT make it all the way to the client making the request to the webapp?
The middleware raises 400 Bad Request errors on 3 different cases: - if the implementation key does not exist (ie. with `Crash: typo` in the config) - if the implementation class cannot be loaded - if an implementation class raised either a MissingArgumentError or a BadArgumentError. None of those cases expose any sensitive information whatsoever. I thus say: go for it!
Assignee: nobody → peterbe
Status: NEW → ASSIGNED
Commits pushed to master at https://github.com/mozilla/socorro https://github.com/mozilla/socorro/commit/8b0cee067f6760d78aa75065c1ddded1c24acffc fixes bug 1089897 - propagate 400 errors from middleware https://github.com/mozilla/socorro/commit/bf39f2ea86505792b15b7a16f919a08386c96a39 Merge pull request #2464 from peterbe/bug-1089897-propagate-400-errors-from-middleware fixes bug 1089897 - propagate 400 errors from middleware
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.