cwurld wrote:
So when one says "Serve from Django" does that mean use the "view
django.views.static.serve"?
The documentation says that is not secure. Does anyone know what the
security risk is?
Thanks,
Chuck
It's insecure because of the way that dynamic servers behave versus
static servers. With a dynamic server such as Django, you can abstract
the url away from the location of the script that creates the content.
Static servers are usually designed where the URL maps to part of the
file system. You asked earlier why static files (such as css and image
files) should not be stored alongside the scripts. This is because a
clever hacker could guess where you have stored your scripts and trick
the static server into returning them (such as a hacker asking for
/static/css/../../../settings.py, whoops he just got your database
username and password!).
There are ways to prevent this using file permissions and Apache
settings, but out of the box, Django cannot know how your particular
server is set up, so the best they can do is to provide warnings that
this is not a good idea.
As I said before, this is not specifically a Django thing, but this
sort of information can be found online or in any book on Apache/web
server security.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
