On 12/21/06 2:41 AM, Fredrik Lundh wrote:
are you trying to say that Django's static server doesn't filter the URL before adding it to the document root ?
No, it does (http://code.djangoproject.com/browser/django/trunk/django/views/static.py#L12); the warning is there because nobody has ever really evaluated that code for security, and it's precisely in places like this that security holes crop up.
It's not that we know the view is insecure -- if we did we'd obviously fix it -- it's that we've never put the work into it to make sure it's 100% secure. Given that it's going to be orders of magnitude slower than serving data from a real web server, there's never been any impetus to make the view anything more than a convenient shortcut for initial development.
If someone with experience in web security wanted to audit that view -- and write specific smoke tests that try to compromise its security -- I'd be OK removing the warning (given a clean bill of health, of course).
Again, though, it's not something I really care all that much about; you shouldn't be using that view in production anyway.
Jacob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
