Security Advisory: ImageField abuse
18 views
Skip to first unread message
Jacob Kaplan-Moss
Dec 2, 2013, 2:07:40 PM12/2/13
to django-users, django-developers, django-...@googlegroups.com
Hi folks -
We've just published a short security advisory about ImageFields:
https://www.djangoproject.com/weblog/2013/dec/02/image-field-advisory/
ImageField expects a valid image file, but depending on your app it may allow uploads on non-image content, such as HTML or JavaScript. Unfortunately, we cannot offer a solution in Django itself. Rather, you need to take some steps in how you serve static files in order to mitigate this type of attack. These steps are now outlined in our security guide:
We've just published a short security advisory about ImageFields:
https://www.djangoproject.com/weblog/2013/dec/02/image-field-advisory/
ImageField expects a valid image file, but depending on your app it may allow uploads on non-image content, such as HTML or JavaScript. Unfortunately, we cannot offer a solution in Django itself. Rather, you need to take some steps in how you serve static files in order to mitigate this type of attack. These steps are now outlined in our security guide:
We recommend that if you allow image uploads that you check your server's configuration against the above guide.
Jacob
Reply all
Reply to author
Forward
0 new messages