On Jan 5, 11:12 pm, Daniel Hirsch <two.oli...@gmail.com> wrote: > Hi everyone, > > We just launched our first django application into production and my > server admin is hounding me about its security. He claims that python > is vulnerable to scripting by the URL, which I quite honestly have no > clue about. > > So, my question to you is two-fold: > > 1 - What are the likely and potential vulnerabilities of a django > installed running under mod_wsgi on Apache on Red Hat Enterprise? > 2 - What the best practices for securing a installation? > > I've searched the documentation and didn't find much mention of any of > this, so if there is a good source, please point me to it and I'll be > out of your hair. > > Much appreciated! > > Daniel Hirsch
Your sysadmin doesn't sound like he knows what he's talking about, unfortunately. Firstly, none of the Python code - either Django or your app - should be in the server root or anywhere that Apache serves. mod_wsgi doesn't run arbitrary Python files depending on the URL, as your sysadmin seems to think, but dispatches URLs to a separate long-running process. If hackers are able to gain access to your server, install malicious Python files in an area not accessible by Apache, and then change the WSGI application or the Django URLconf to run them, then to be honest you have problems that are well beyond Django's responsibility. Perhaps he is under the mistaken impression that Django is some sort of CGI app? -- DR.
-- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
