Re: Worst Error Message?

On 30 Jul 2011, at 20:10, Les Mikesell wrote:

> On 7/30/11 1:14 PM, Jeremy Pereira wrote:
>>
>> On 30 Jul 2011, at 18:17, Les Mikesell wrote:
>>
>>>
>>> '403 forbidden' makes reasonable sense for a client-side message to someone who shouldn't know internal details anyway.
>>
>> Seriously? You think an HTTP response code (which *is* an internal detail) is an acceptable error message. You think it makes sense? Why is 403 forbidden? Oh, right, that's just a code. Ok what is forbidden? Is it me? the repository? writing to the repository? writing to a particular file? Why is it forbidden? Is it because it is Tuesday? WHY???!!!!
>>
>> It's a useless error message. It's even pretty useless to the average person when they are trying to use a browser to access a URL.
>
> From a security perspective it is a bad idea to tell a network client that is doing something you have explicitly denied any of the details of how the system is configured to prevent it. Working correctly is usually a yes or no question and this answer is clearly 'no'.
>

From a software-that-is-not-a-complete-pig-to-use point of view, this is nonsense. If I'm a user trying to check something in to subversion, "403 forbidden" is useless. I don't know if I've got to the wrong server, mistyped a URL or don't have access rights. If you think the error message "you do not have permission to commit to $URL_THATS_EASY_TO_FIND_IN_THE_WORKING_COPY" is a security risk, you need to think again about what security is.

>>> Is something better in the apache error log where the sysadmin who set it up wrong should be looking?
>>
>> Except that the administrator might not have set up the repository wrong. He might have made it deliberately read only. Users should not have to trawl Apache logs to find out that they are not allowed to commit to a repository.
>
> Right, if the system is intentionally set up for read-only access, the user should not get a hint about how to work around it, and it won't do them any particular good to know if it is denied in the http config, the authorization setup, or the filesystem. Really, what do you need to know as an end user besides that your commit was denied?

Telling somebody that they only have read access to a repository is not giving them a hint about how to work around it. "403 forbidden" is not telling somebody that they only have read access to a repository (or part of a repository). It's telling them that a web server somewhere doesn't like them. "What a web server? I thought I was using subversion" says the user.
Received on 2011-07-31 22:25:14 CEST