[Django] #35900: staticfiles: Make staticfiles.json location unguessable for security (by obscurity!).
5 views
Skip to first unread message
Django
Nov 9, 2024, 11:03:20 AM11/9/24
to django-...@googlegroups.com
#35900: staticfiles: Make staticfiles.json location unguessable for security (by
obscurity!).
-------------------------------------+-------------------------------------
Reporter: Sebastian Pipping | Type:
| Uncategorized
Status: new | Component:
| contrib.staticfiles
Version: dev | Severity: Normal
Keywords: staticfiles | Triage Stage:
security hardening | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Hi!
An attacker searching for a way to attack a specific Django setup can
check URL `/static/staticfiles.json` and use its content to first derive
used dependencies (potentially down to a specific version) to then derive
attack vectors based on that information.
A fix would be to not use guessable name `staticfiles.json` by default but
to include some entropy in that filename a la
`staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json` e.g. based on
`settings.SECRET_KEY` so that `ManifestFilesMixin.manifest_name` content
remains stable across all Python processes. The "by default" is key here,
because most users of Django do not seem to consider the security
implications of serving file `staticfiles.json` to attackers, I keep
finding these files in the wild. Yes, security by obscurity is never
enough in isolation, but it does make attacking harder in practice.
Pull request 18778 (https://github.com/django/django/pull/18778) demos one
way how the situation could be improved in a backwards-compatible way by
default and for everyone.
--
Ticket URL: <https://code.djangoproject.com/ticket/35900>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
obscurity!).
-------------------------------------+-------------------------------------
Reporter: Sebastian Pipping | Type:
| Uncategorized
Status: new | Component:
| contrib.staticfiles
Version: dev | Severity: Normal
Keywords: staticfiles | Triage Stage:
security hardening | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Hi!
An attacker searching for a way to attack a specific Django setup can
check URL `/static/staticfiles.json` and use its content to first derive
used dependencies (potentially down to a specific version) to then derive
attack vectors based on that information.
A fix would be to not use guessable name `staticfiles.json` by default but
to include some entropy in that filename a la
`staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json` e.g. based on
`settings.SECRET_KEY` so that `ManifestFilesMixin.manifest_name` content
remains stable across all Python processes. The "by default" is key here,
because most users of Django do not seem to consider the security
implications of serving file `staticfiles.json` to attackers, I keep
finding these files in the wild. Yes, security by obscurity is never
enough in isolation, but it does make attacking harder in practice.
Pull request 18778 (https://github.com/django/django/pull/18778) demos one
way how the situation could be improved in a backwards-compatible way by
default and for everyone.
--
Ticket URL: <https://code.djangoproject.com/ticket/35900>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages