开发者

Why Django function django.views.static.serve() is insecure?

开发者 https://www.devze.com 2022-12-15 02:07 出处:网络
According to the Documentation using the django.views.static.server() function is: inefficient and insecure.

According to the Documentation using the django.views.static.server() function is:

inefficient and insecure.

开发者_Python百科

I understand why it's inefficient, but in which aspect is it insecure?


It's as insecure as the Django test server itself, for starters, like the above answer said -- that is, it's not tested for any sort of security the way a "production-ready" server like CherryPy would be. As a result, there could be all sorts of lurking security issues with users accessing files they shouldn't be able to; while these are generally fixed they're not considered "priority" as they would be with a production server, and no one's really banging on it looking for these things.

Furthermore, see this summer's Django security update that fixed a situation where a maliciously-crafted URL could give a visitor access to any file the Django user could see, even if it wasn't under the static root. It's fixed, but should give you an idea about why you should use a Real Server in production settings.


django.views.static.server() is based on the django development server. According to the django book, "it has not gone through a security audit of any sort"

It is not designed for production purpose and it is not tested for this purpose too. It would be insecure to use a non-tested webserver.

0

精彩评论

暂无评论...
验证码 换一张
取 消