Hello Collin, > On 31 déc. 2015, at 23:44, Collin Anderson <[email protected]> wrote: > > I feel like the insecure flag could get renamed to inefficient or something > like that.
This view is insecure for serving user-uploaded files, for reasons Florian hinted at. Browsers “helpfully” get a lot things wrong for legacy reasons. As a consequence, downloading a file is one of the most insecure things you can do in general. I can’t say for sure if it’s insecure for serving static files. I believe Django has some countermeasures against directory traversal attacks for example. However, since the code wasn’t written with security in mind from the beginning, rewriting it from a security perspective may be the most efficient way to make sure it’s secure. Best regards, -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/745A1E1A-AE02-410C-B2B1-705BC08378CC%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
