At Python Security [1] we are beginning to turn our focus towards an in-depth but informal review of Django. Below is an excerpt from the email [2] I sent to our mailing list:
[4] is the wiki page for Django. As you can see, we already have a bunch of information. In particular, I've taken a look at the authentication and password storing scheme. Still, there is much work to be done: - Someone should comb through the Django scaffolding and admin application to check for CSRF vulnerability, leaking sensitive information through URLs, and unvalidated redirects - An investigation of session management is needed. Update [5] with the specific settings that are referenced there for the cookie timeouts, etc. When a user logs out, is the session invalidated? - I'd like to take a closer look at Django's ORM. [6] Does it use bound parameters for all backends? Can developers write raw SQL with bound parameters, or is it just using string interpolation? What escaping mechanisms are provided in this case? I think our efforts towards securing Django could culminate in a single-page handout on hardening Django. Such a handout would cover many of the same topics that the wiki page covers, but keep it brief and focus on what is needed to secure applications in Django. Comments?" If you have knowledge of any of the above topics, please see the links below to help us speed the review process. I'm sure questions will come up as we're doing our review. We'll bring those questions here unless otherwise requested. I also don't want the issues I raised about contrib.auth [3] to be forgotten. Craig Younkins [1] http://www.pythonsecurity.org/ [2] http://groups.google.com/group/python-security/browse_thread/thread/2960396cdd697dbd# [3] http://groups.google.com/group/django-developers/browse_thread/thread/d192e244c63a71d0/bf9990aa8a0eb80c?lnk=gst&q=Security#bf9990aa8a0eb80c [4] http://www.pythonsecurity.org/wiki/django/<http://www.google.com/url?sa=D&q=http://www.pythonsecurity.org/wiki/django/&usg=AFQjCNFHbltwQ5Zrc__cwS6HHrZJWscbCw> [5] http://www.pythonsecurity.org/wiki/django/#session-management<http://www.google.com/url?sa=D&q=http://www.pythonsecurity.org/wiki/django/%23session-management&usg=AFQjCNHAD5LBV3eBMpsrckkEB5GMOMqrWA> [6] http://www.pythonsecurity.org/wiki/django/orm/#django-orm<http://www.google.com/url?sa=D&q=http://www.pythonsecurity.org/wiki/django/orm/%23django-orm&usg=AFQjCNHh3sR-PIGVT-Rwr8xz0QzrFaLE6w> -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
