On Mon, 2009-03-30 at 19:37 -0400, Jack Orenstein wrote: > I have my first Django app running, but with very basic html. I'm > trying to add my first <img> tag and finding it difficult to serve up > the image file. > > I've read this: http://docs.djangoproject.com/en/dev/howto/static- > files/?from=olddocs, which points out that having django serve static > content is "inefficient and insecure", and then points to a reference > for Apache plus mod_python. > > Questions: > > 1) The method outlined above isn't working for me. urls.py says (for > my foobar application): > > (r'^media/(?P<path>.*)$', 'django.views.static.serve', > {'document_root': '/Users/jao/django/foobar/media'}), > > /Users/jao/django/foobar/media/images has xyz.gif, and my page says: > > <img src="/media/images/xyz.gif"/> > > But when I load the page, the image doesn't show up. I get a little > box with a question mark in it. > > > 2) I'm not using mod_python, I'm using mod_wsgi. Is the procedure > pretty close to that of mod_python?
Yes. As Graham noted in his reply, the serving of static files is done entirely by the webserver. Although the documentation for this is in the documentation for mod_python, it doesn't actually have anything mod_python-specific about it. The instructions are identical. > > > 3) Why exactly is the builtin django method insecure? Because all software is insecure by default. The media serving code has not been audited for security and if somebody was to report a "security" problem with it, we are going to say it's not intended to be secure. WE are simply not taking on the maintenance burden of maintaining software to do something that dozens of webserver products already do quite well. It's a matter of using the right tool for the job and Django is not the right tool for serving static media (in 98% of cases): it's out of scope intentionally. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
