Issue #4 resolved

mediahandler security of paths

cleemesser
repo owner created an issue

The mediahandler middleware is quite naive.
1. look at sanitizing the path request that comes to it to prevent navigation out of the root 2. review literature on security of serving static files, cf cherrypy discussions

Comments (7)

  1. cleemesser reporter

    Ok, after a little testing, it looks like use of .. in a url gets re-written to an absolute path so you can't use .. to escape containment using firefox at least. Try other direct methods.

  2. cleemesser reporter

    Look into cherrypy's static serve tools for safe static file serving. May wish to take the following strategy::

    1. use django's code for serving the uncollected static files.
    2. collectstatic and use cherrypy static tools for serve option in production
  3. jamalex

    Browsers auto-rewrite the URL to remove .. from the path, but that doesn't matter from a security perspective -- e.g. doing "curl" from the command line allowed me to download the database file for a project running through django-wsgiserver. I'll submit a patch I wrote, momentarily. Thanks!

  4. cleemesser reporter

    Thanks for the patch. I think it makes sense and improves security significantly.

    In terms of the repo security. Let me look into that.

  5. Log in to comment