-2
from flask import Flask

app = Flask(__name__)

@app.route('/')
def index():
    return 'FRIENDS'
@app.route('/home')
    def home():
return 'BARBAD, PARTI'

if __name__ == '__main__':
    app.run(debug=True)

After google search I came to Know that if debug option is enabled then there is no need to restart the interpreter manually after each change to my code.. But I have also read in flask documentation:

Even though the interactive debugger does not work in forking environments (which makes it nearly impossible to use on production servers), it still allows the execution of arbitrary code. This makes it a major SECURITY risk and therefore it must never be used on production machines.

I am not getting how they have related it to SECURITY and other stuff. Can anyone help me in understanding what they are talking about? Thanks in advance....

Alexandre
  • 1,635
  • 14
  • 21
cryptomanic
  • 5,986
  • 3
  • 18
  • 30
  • 3
    "it still allows the execution of arbitrary code" Arbitrary user defined code = gaping security hole. It's referring to the live Python REPL included on an error page. If an end user somehow got a working debug error page, they could literally write Python code and have it executed on the server. – jpmc26 Mar 30 '15 at 06:55

1 Answers1

2

Why is debug mode required?

The debug option is given to you so that you are able to get the full traceback of your errors, ability to execute code from the browser to be able to debug in place. This is to make debugging for you as the developer.

Why should you not use it in production?

  1. You don't want any one to see your traceback, should there be an error. We only show the used that it's 500 or a 404 and something was wrong with their request or the server wasn't able to process their request. You don't want to show this because it's not secure to give anyone any idea of security holes in your application, because they can exploit it.

  2. You never want any one to execute code on your machine other than yourself or someone you trust. If a malicious user is able to execute arbitrary code on your server, they would be able to do bad stuff!

A good practice for setting the debug mode is to decide if you are in production or development environment from an environment variable. Something like this:

from flask import Flask

app = Flask(__name__)

@app.route('/')
def index():
    return 'FRIENDS'
@app.route('/home')
    def home():
return 'BARBAD, PARTI'

if __name__ == '__main__':
    app.run(debug=os.environ.get('APP_ENV', 'development') == 'development')

and remember to set 'APP_ENV' to production in your production environment.

adarsh
  • 6,738
  • 4
  • 30
  • 52