On 8/29/2010 8:07 AM, dave b wrote: >> An attacker could also assemble a powerful explosive device and detonate >> it near enough your hosting service to take your site down. What >> counter-measures are you going to take against that? > > Good question. I have two cats and they like to lick people ^^ > They are a bit friendly I guess. Do you think I can train them to > pounce on strangers? > > >> You perhaps feel people aren't taking your proposal seriously enough. >> The fact of the matter is that security is never absolute, and on a >> threat scale of 0 to 10 this issue comes in at about 1.7. If you are >> running a professional service and you are monitoring it correctly then >> you ought to notice an attack of this nature before it does too much damage. > > Look I send you guys an email, I send a patch for one of the problems > and point out the second one. I just can't make you guys happy can I ? > > http://cwe.mitre.org/top25/ > [22] 145 CWE-770 Allocation of Resources Without Limits or > Throttling > http://cwe.mitre.org/top25/#CWE-770 > But ok if you say so ;) > I wonder how much ram most django commonly found django installations > that allow file upload on the internet have? now remember a lot of > those have a fairly fast download and upload ;) > bonus points if they have mod_deflate decompressing the user body request ;) > >> I repeat, you may be correct in treating this as a vulnerability, but >> your estimate of its seriousness appears to disagree with that of >> others. If you want to have your code seriously considered for inclusion >> (and why not?) you should raise it in the Django issue tracker - see >> "Reporting Bugs" in > > I did as I was suggested to do so :) > Some one first told me on irc in #django that I should raise it here first :) > > Please see http://code.djangoproject.com/ticket/14192
That's cool. Sorry I nagged you unnecessarily. Yes, it might be a problem. But you'll notice it's #22 on a list of 25 ... Anyway, since you have done your civic duty there's a good chance that a fix will find its way into some future version. Thanks for being a good citizen. regards Steve -- DjangoCon US 2010 September 7-9 http://djangocon.us/ -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
