System disclosure when calling /chrome/site/css

[ja@…]

Call /chrome/site/css will result in python trace error

Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/trac-0.10-py2.4.egg/trac/web/main.py", line 356, in dispatch_request
    dispatcher.dispatch(req)
  File "/usr/lib/python2.4/site-packages/trac-0.10-py2.4.egg/trac/web/main.py", line 224, in dispatch
    resp = chosen_handler.process_request(req)
  File "/usr/lib/python2.4/site-packages/trac-0.10-py2.4.egg/trac/web/chrome.py", line 234, in process_request
    raise HTTPNotFound('File %s not found', filename)
HTTPException: 404 Not Found (File css not found)

[Emmanuel Blot]

Not sure what you are expecting at this point:
chrome/site/css is usually a directory that contains site-specific CSS files.

Trac chrome handler does not list directory contents, it only serves files.

[sid]

Proposing to close as wontfix

[Matthew Good]

I don't understand the summary's claim of "system disclosure", but I don't think that a traceback should be displayed for the 404 response, so we should look into why that's happening.

[sid]

I believe he means that the Trac installation path is shown to the user in the traceback.

[osimons]

This is no longer the case with 0.11:

1. File not found will not give a traceback.
2. If for some (other) reason a traceback occurs, it will only be available for users with TRAC_ADMIN permissions.

I did test it your example url on current 0.10.5dev, and the traceback appears to all users - the page only shows the traceback and nothing else, so this obviously does not get trapped by Trac in the proper manner.

Either someone feels this is important enough to be fixed for a possible 0.10.5 release, or we should close it as 'wontfix' and recommend to upgrade if this is a problem. Opinions?

[Christian Boos]

I don't think this will change for 0.10.x.