mediahandler security of paths

Issue #4 resolved
Christopher Lee-Messer
repo owner created an issue

The mediahandler middleware is quite naive.
1. look at sanitizing the path request that comes to it to prevent navigation out of the root 2. review literature on security of serving static files, cf cherrypy discussions

Comments (7)

  1. Christopher Lee-Messer reporter

    Look into cherrypy's static serve tools for safe static file serving. May wish to take the following strategy::

    1. use django's code for serving the uncollected static files.
    2. collectstatic and use cherrypy static tools for serve option in production
  2. jamalex

    Browsers auto-rewrite the URL to remove .. from the path, but that doesn't matter from a security perspective -- e.g. doing "curl" from the command line allowed me to download the database file for a project running through django-wsgiserver. I'll submit a patch I wrote, momentarily. Thanks!

  3. Log in to comment