mediahandler security of paths

Create issue
Issue #4 resolved
Christopher Lee-Messer repo owner created an issue

The mediahandler middleware is quite naive.
1. look at sanitizing the path request that comes to it to prevent navigation out of the root 2. review literature on security of serving static files, cf cherrypy discussions

Comments (7)

  1. Christopher Lee-Messer reporter

    Ok, after a little testing, it looks like use of .. in a url gets re-written to an absolute path so you can't use .. to escape containment using firefox at least. Try other direct methods.

  2. Christopher Lee-Messer reporter

    Look into cherrypy's static serve tools for safe static file serving. May wish to take the following strategy::

    1. use django's code for serving the uncollected static files.
    2. collectstatic and use cherrypy static tools for serve option in production
  3. Jamie Alexandre

    Browsers auto-rewrite the URL to remove .. from the path, but that doesn't matter from a security perspective -- e.g. doing "curl" from the command line allowed me to download the database file for a project running through django-wsgiserver. I'll submit a patch I wrote, momentarily. Thanks!

  4. Christopher Lee-Messer reporter

    Thanks for the patch. I think it makes sense and improves security significantly.

    In terms of the repo security. Let me look into that.

  5. Log in to comment