Why serve static files from django is insecure?

162 views
Skip to first unread message

Juanjo Conti

unread,
Mar 14, 2008, 2:01:51 PM3/14/08
to django...@googlegroups.com
I ma reading http://www.djangoproject.com/documentation/0.96/static_files/
and can't find the reason.

Greets!

--
Juanjo Conti

Chris Czub

unread,
Mar 14, 2008, 2:35:05 PM3/14/08
to django...@googlegroups.com
I'm not sure about the insecurity issue, but I do know that it's inefficient because it requires your Django server to parse the requests for static media... it's quicker and more correct to set it up in your httpd.conf to bypass Django and serve files statically if a request is made to your static files directory.

<Location "/">
SetHandler python-program
    PythonHandler django.core.handlers.modpython
    SetEnv DJANGO_SETTINGS_MODULE czubus.settings
    PythonPath "['/home/chrisczub/webapps/django'] + sys.path"
    PythonDebug On
</Location>
<Location "/media">
    SetHandler none
</Location>
<LocationMatch "\.(jpg|gif|png)$">
    SetHandler None
</LocationMatch>

Tim Chase

unread,
Mar 14, 2008, 3:50:44 PM3/14/08
to django...@googlegroups.com
> I ma reading http://www.djangoproject.com/documentation/0.96/static_files/
> and can't find the reason.

My understanding is that it has nothing to do with serving static
files vs. security.

1) it's advised not to use runserver as your production server.
for many reasons including but not limited to

- it's single-threaded and inefficient
- it's not been very vetted for security as its purpose
is just to give you an easy way to test

2) serving static media from django vs. another server is a waste
of server resources--Apache/lighttpd/tux are highly optimized to
serve static files for you...let them do their job well. Django
is for application logic

3) The only time I'd see having media pass through Django is if
that media is non-static: images that Django creates/edits on
the fly; authenticated access-control to media; or creating
custom JavaScript for a page (rarely a good idea).

-tim

Malcolm Tredinnick

unread,
Mar 14, 2008, 9:42:42 PM3/14/08
to django...@googlegroups.com

On Fri, 2008-03-14 at 15:01 -0300, Juanjo Conti wrote:
> I ma reading http://www.djangoproject.com/documentation/0.96/static_files/
> and can't find the reason.

Nothing can be considered secure unless it is designed and audited for
security. We have done neither with the static file server. It may not
have existing security holes, but it should not be considered secure
because that's not a design goal.

For example, a secure file server would need to check for resource
allocation problems so that serving a very large file didn't constitute
a denial-of-service attack. That requires a lot of extra code and
pipeline management which isn't worth putting into something that's just
for development purposes.

Regards,
Malcolm

--
Borrow from a pessimist - they don't expect it back.
http://www.pointy-stick.com/blog/

Reply all
Reply to author
Forward
0 new messages