Re: potential issue re in memory django file uploading.

On Fri, Sep 3, 2010 at 2:04 PM, dave b wrote: > Ok no movement :) Nor is there likely to be. Insofar as you've identified a problem at all, it's a problem in a piece of software that isn't Django, and you've ignored multiple people who've pointed that fact out to you

Re: potential issue re in memory django file uploading.

Ok no movement :) Lighttpd has a default limit of 2gb, cherokee seems to have the same. Pin it on the httpd all you like - but the default apache has no limit (0 - unlimited :) ). http://httpd.apache.org/docs/2.0/mod/core.html#limitrequestbody -- The better part of valor is discretion.

Re: potential issue re in memory django file uploading.

> His response is to say he will escalate this to some other security > forum. We can only assume that this is a threat that he will raise > merry hell until we do what he says. Right first: Yes I am sorry for the 9 or so posts :) I am only human. Right. Um no that's not a threat. That's being

Re: potential issue re in memory django file uploading.

On Tue, Aug 31, 2010 at 10:01 AM, dave b wrote: >> And, for the record, the fact that Ubuntu or Debian have chosen these >> defaults doesn't make Apache insecure either. System defaults exist to >> make it easy and obvious to get something started. A responsible >> sysadmin

Re: potential issue re in memory django file uploading.

On 31 August 2010 12:04, Russell Keith-Magee wrote: >> On 8/30/2010 9:09 PM, dave b wrote: >>> Do not pass go do not collect profit! > ... >>> Put your hands up in the air like you just don't care! > ... >>> blahblahblalbha sssh listen. > ... > > On Tue, Aug 31, 2010 at

Re: potential issue re in memory django file uploading.

Thanks for the reminder. I apologize. regards Steve On Aug 30, 2010 10:04 PM, "Russell Keith-Magee" wrote: >> On 8/30/2010 9:09 PM, dave b wrote: >>> Do not pass go do not collect profit! > ... >>> Put your hands up in the air like you just don't care! > ... >>>

Re: potential issue re in memory django file uploading.

> On 8/30/2010 9:09 PM, dave b wrote: >> Do not pass go do not collect profit! ... >> Put your hands up in the air like you just don't care! ... >> blahblahblalbha sssh listen. ... On Tue, Aug 31, 2010 at 9:42 AM, Steve Holden wrote: > Frankly, at this stage you can stick

Re: potential issue re in memory django file uploading.

> And, for the record, the fact that Ubuntu or Debian have chosen these > defaults doesn't make Apache insecure either. System defaults exist to > make it easy and obvious to get something started. A responsible > sysadmin for a public-facing webserver shouldn't be using *any* > OS-provided

Re: potential issue re in memory django file uploading.

On Tue, Aug 31, 2010 at 9:09 AM, dave b wrote: >>> Secure by default please! >> >> That's an easy epithet to throw around, but I disagree that it is >> appropriate here. "Security" doesn't mean "stops the user from making >> mistakes". > > Look like wsgi, apache2 and django

Re: potential issue re in memory django file uploading.

On 8/30/2010 9:09 PM, dave b wrote: >>> Secure by default please! >> >> That's an easy epithet to throw around, but I disagree that it is >> appropriate here. "Security" doesn't mean "stops the user from making >> mistakes". > > Look like wsgi, apache2 and django all on ubuntu PLACE no size

Re: potential issue re in memory django file uploading.

On 08/30/10 10:09, dave b wrote: well you finish the tutorial(s) now and then you try to upload a file right? So you start uploading the file. Now because (I assume you are still using the django built in webserver) why don't you play with this a bit, start uploading say 10 1gb files(all at

Re: potential issue re in memory django file uploading.

> > From my testing (granted this was run against something pre-1.2 so things > may have changed since then), as soon as you initiate the first file upload, > you're monopolizing the devserver process, preventing further attempts to do > the following 9 uploads until the first has completed

Re: potential issue re in memory django file uploading.

>> Secure by default please! > > That's an easy epithet to throw around, but I disagree that it is > appropriate here. "Security" doesn't mean "stops the user from making > mistakes". Look like wsgi, apache2 and django all on ubuntu PLACE no size limits at all by default. Isn't that neat? I think

Re: potential issue re in memory django file uploading.

On Mon, Aug 30, 2010 at 11:09 PM, dave b wrote: >> I don't actually use Django so not 100% sure, but yes there possibly >> isn't an equivalent of LimitRequestBody definable within Django unless >> can be done with middleware. > > Ok so you don't even use django, ok... > You

Re: potential issue re in memory django file uploading.

On Aug 31, 1:09 am, dave b wrote: > /me rolls eyes. > You have a valid point re /tmp, sorry I am used to mounting /tmp as > /tmpfs - my mistake :) > Ok lets be *really* clear the security problem still exists. > An attack can in the limits set on the maximum post by the

Re: potential issue re in memory django file uploading.

/me rolls eyes. You have a valid point re /tmp, sorry I am used to mounting /tmp as /tmpfs - my mistake :) Ok lets be *really* clear the security problem still exists. An attack can in the limits set on the maximum post by the httpd / module in use upload a large file. > I don't actually use

Re: potential issue re in memory django file uploading.

On Aug 30, 1:54 pm, dave b wrote: > On 30 August 2010 11:04, Russell Keith-Magee wrote: > > > > > > > On Sun, Aug 29, 2010 at 8:26 PM, dave b wrote: > >  1) An actual problem where you can clearly describe the

Re: potential issue re in memory django file uploading.

On 30 August 2010 11:04, Russell Keith-Magee wrote: > On Sun, Aug 29, 2010 at 8:26 PM, dave b wrote: >  1) An actual problem where you can clearly describe the circumstances > or sequence of events that would allow an attack to occur, and >  2)

Re: potential issue re in memory django file uploading.

On Sun, Aug 29, 2010 at 8:26 PM, dave b wrote: >> Anyway, since you have done your civic duty there's a good chance that a >> fix will find its way into some future version. Thanks for being a good >> citizen. > > Django is an awesome project and. However, a bug is a bug. I

Re: potential issue re in memory django file uploading.

On Aug 29, 9:43 pm, dave b wrote: > > OK, so you don't believe the advice you are getting, which is that of > > the many issues a Django sit will face this is a relatively low > > probability attack. That's fair enough - a vulnerability is a > > vulnerability, after all,

Re: potential issue re in memory django file uploading.

> Anyway, since you have done your civic duty there's a good chance that a > fix will find its way into some future version. Thanks for being a good > citizen. Django is an awesome project and. However, a bug is a bug. I don't care if it is a security bug or not, a bug *should* get fixed. FYI: I

Re: potential issue re in memory django file uploading.

On 8/29/2010 8:07 AM, dave b wrote: >> An attacker could also assemble a powerful explosive device and detonate >> it near enough your hosting service to take your site down. What >> counter-measures are you going to take against that? > > Good question. I have two cats and they like to lick

Re: potential issue re in memory django file uploading.

> An attacker could also assemble a powerful explosive device and detonate > it near enough your hosting service to take your site down. What > counter-measures are you going to take against that? Good question. I have two cats and they like to lick people ^^ They are a bit friendly I guess. Do

Re: potential issue re in memory django file uploading.

On 8/29/2010 7:43 AM, dave b wrote: >> OK, so you don't believe the advice you are getting, which is that of >> the many issues a Django sit will face this is a relatively low >> probability attack. That's fair enough - a vulnerability is a >> vulnerability, after all, no matter how improbable,

Re: potential issue re in memory django file uploading.

> OK, so you don't believe the advice you are getting, which is that of > the many issues a Django sit will face this is a relatively low > probability attack. That's fair enough - a vulnerability is a > vulnerability, after all, no matter how improbable, and not everyone > will set up their

Re: potential issue re in memory django file uploading.

On 8/29/2010 12:05 AM, dave b wrote: > On 29 August 2010 13:33, Graham Dumpleton wrote: >> >> >> On Aug 29, 1:17 pm, dave b wrote: >>> On 29 August 2010 08:28, Steve Holden wrote: >>> On 8/28/2010 6:10 PM, Graham

Re: potential issue re in memory django file uploading.

On 29 August 2010 13:33, Graham Dumpleton wrote: > > > On Aug 29, 1:17 pm, dave b wrote: >> On 29 August 2010 08:28, Steve Holden wrote: >> >> > On 8/28/2010 6:10 PM, Graham Dumpleton wrote: >> >> On Aug 28, 11:21 pm, dave

Re: potential issue re in memory django file uploading.

On Aug 29, 1:17 pm, dave b wrote: > On 29 August 2010 08:28, Steve Holden wrote: > > > On 8/28/2010 6:10 PM, Graham Dumpleton wrote: > >> On Aug 28, 11:21 pm, dave b wrote: > >> So obviously my proposed attack is to simply

Re: potential issue re in memory django file uploading.

On 29 August 2010 13:17, dave b wrote: > On 29 August 2010 08:28, Steve Holden wrote: >> On 8/28/2010 6:10 PM, Graham Dumpleton wrote: >>> On Aug 28, 11:21 pm, dave b wrote: >>> So obviously my proposed attack is to simply

Re: potential issue re in memory django file uploading.

On 29 August 2010 08:28, Steve Holden wrote: > On 8/28/2010 6:10 PM, Graham Dumpleton wrote: >> On Aug 28, 11:21 pm, dave b wrote: >> So obviously my proposed attack is to simply say "content length is >> tiny" and "this file is actually HUGE".

Re: potential issue re in memory django file uploading.

On 8/28/2010 6:10 PM, Graham Dumpleton wrote: > On Aug 28, 11:21 pm, dave b wrote: > So obviously my proposed attack is to simply say "content length is > tiny" and "this file is actually HUGE". [...] > All up, I would suggest you are getting worked up over nothing.

Re: potential issue re in memory django file uploading.

On Aug 28, 11:21 pm, dave b wrote: > >>> So obviously my proposed attack is to simply say "content length is > >>> tiny" and "this file is actually HUGE". > >>> I hope I missed something :) I don't really want this to occur ... > > >> A decent web server such as Apache

Re: potential issue re in memory django file uploading.

On 8/28/2010 9:50 AM, dave b wrote: > On 28 August 2010 23:21, dave b wrote: >> On 28 August 2010 23:09, dave b wrote: [...] >>> The documentation and code in django suggests that this is not the >>> case. So lets assume we are not using apache but

Re: potential issue re in memory django file uploading.

On 28 August 2010 23:21, dave b wrote: > On 28 August 2010 23:09, dave b wrote: >> On 28 August 2010 22:46, Graham Dumpleton wrote: >>> >>> >>> On Aug 28, 7:58 pm, "david b." wrote: Ok so I

Re: potential issue re in memory django file uploading.

On 28 August 2010 23:09, dave b wrote: > On 28 August 2010 22:46, Graham Dumpleton wrote: >> >> >> On Aug 28, 7:58 pm, "david b." wrote: >>> Ok so I was looking through the code and I saw this (in >>>

Re: potential issue re in memory django file uploading.

On 28 August 2010 22:46, Graham Dumpleton wrote: > > > On Aug 28, 7:58 pm, "david b." wrote: >> Ok so I was looking through the code and I saw this (in >> django/core/files/uploadhandler.py) : >> >> FileUploadHandler >> ... >> >>    def

Re: potential issue re in memory django file uploading.

On Aug 28, 7:58 pm, "david b." wrote: > Ok so I was looking through the code and I saw this (in > django/core/files/uploadhandler.py) : > > FileUploadHandler > ... > >    def new_file(self, field_name, file_name, content_type, > content_length, charset=None): >        """

potential issue re in memory django file uploading.

Ok so I was looking through the code and I saw this (in django/core/files/uploadhandler.py) : FileUploadHandler ... def new_file(self, field_name, file_name, content_type, content_length, charset=None): """ Signal that a new file has been started. Warning: As with any