> And, for the record, the fact that Ubuntu or Debian have chosen these > defaults doesn't make Apache insecure either. System defaults exist to > make it easy and obvious to get something started. A responsible > sysadmin for a public-facing webserver shouldn't be using *any* > OS-provided defaults without auditing them. To aid that process, the > Django project is in a position to describe the sorts of issues that a > sysadmin should watch out for; hence, documenting deployment-related > security issues such as this one is in scope. > > However, at the end of the day, as Graham and I have *repeatedly* told > you -- this is an issue that should be caught at the webserver, not at > the application level. Even if we weren't talking about duplicating > functionality (and we are), there are both practical and technical > reasons why it is inappropriate for Django to implement file-upload > size restrictions. This problem can be avoided with appropriate > configuration of your web server, and therefore should be.
> If you can do that, this episode will blow over and soon you will be as > welcome as everyone else. Carry on like you are doing and people will > start to run the other way at the sight of your name. Ok look. I am trying to be a nice guy here. You are making my job harder than it should be. Fact I reported a potential security bug, which did have the incorrect description(sort of ;) ) at the start but then I have provided a clear summary of the issue. So let me tell you a story. A guy reports a bug to the django security email, he gets a vacation reply. So he asks on irc in #django where he should take the issue to next, he is told the django users mailing list. So he emails the list and they don't take him seriously. They claim that the problem is that people shouldn't be using the default webserver configurations. They claim the problem isn't our fault. They also claim that the guy thinks he is smarter than others. They claim that this guy is wrong because in the "real" world people don't use defaults without auditing *all* of them right? I can tell you that this guy feels really stupid right now. Here something from the default php5 setup on debian(for apache).: ; Maximum size of POST data that PHP will accept. post_max_size = 8M ... ; Maximum allowed size for uploaded files. upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 50 -- How apt the poor are to be proud. -- William Shakespeare, "Twelfth-Night" -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
