On Fri, Sep 3, 2010 at 2:04 PM, dave b wrote:
> Ok no movement :)
Nor is there likely to be. Insofar as you've identified a problem at
all, it's a problem in a piece of software that isn't Django, and
you've ignored multiple people who've pointed that fact out to you
Ok no movement :)
Lighttpd has a default limit of 2gb, cherokee seems to have the same.
Pin it on the httpd all you like - but the default apache has no limit
(0 - unlimited :) ).
http://httpd.apache.org/docs/2.0/mod/core.html#limitrequestbody
--
The better part of valor is discretion.
> His response is to say he will escalate this to some other security
> forum. We can only assume that this is a threat that he will raise
> merry hell until we do what he says.
Right first: Yes I am sorry for the 9 or so posts :) I am only human.
Right. Um no that's not a threat.
That's being
On Tue, Aug 31, 2010 at 10:01 AM, dave b wrote:
>> And, for the record, the fact that Ubuntu or Debian have chosen these
>> defaults doesn't make Apache insecure either. System defaults exist to
>> make it easy and obvious to get something started. A responsible
>> sysadmin
On 31 August 2010 12:04, Russell Keith-Magee wrote:
>> On 8/30/2010 9:09 PM, dave b wrote:
>>> Do not pass go do not collect profit!
> ...
>>> Put your hands up in the air like you just don't care!
> ...
>>> blahblahblalbha sssh listen.
> ...
>
> On Tue, Aug 31, 2010 at
Thanks for the reminder. I apologize.
regards
Steve
On Aug 30, 2010 10:04 PM, "Russell Keith-Magee"
wrote:
>> On 8/30/2010 9:09 PM, dave b wrote:
>>> Do not pass go do not collect profit!
> ...
>>> Put your hands up in the air like you just don't care!
> ...
>>>
> On 8/30/2010 9:09 PM, dave b wrote:
>> Do not pass go do not collect profit!
...
>> Put your hands up in the air like you just don't care!
...
>> blahblahblalbha sssh listen.
...
On Tue, Aug 31, 2010 at 9:42 AM, Steve Holden wrote:
> Frankly, at this stage you can stick
> And, for the record, the fact that Ubuntu or Debian have chosen these
> defaults doesn't make Apache insecure either. System defaults exist to
> make it easy and obvious to get something started. A responsible
> sysadmin for a public-facing webserver shouldn't be using *any*
> OS-provided
On Tue, Aug 31, 2010 at 9:09 AM, dave b wrote:
>>> Secure by default please!
>>
>> That's an easy epithet to throw around, but I disagree that it is
>> appropriate here. "Security" doesn't mean "stops the user from making
>> mistakes".
>
> Look like wsgi, apache2 and django
On 8/30/2010 9:09 PM, dave b wrote:
>>> Secure by default please!
>>
>> That's an easy epithet to throw around, but I disagree that it is
>> appropriate here. "Security" doesn't mean "stops the user from making
>> mistakes".
>
> Look like wsgi, apache2 and django all on ubuntu PLACE no size
On 08/30/10 10:09, dave b wrote:
well you finish the tutorial(s) now and then you try to upload
a file right? So you start uploading the file. Now because (I
assume you are still using the django built in webserver) why
don't you play with this a bit, start uploading say 10 1gb
files(all at
>
> From my testing (granted this was run against something pre-1.2 so things
> may have changed since then), as soon as you initiate the first file upload,
> you're monopolizing the devserver process, preventing further attempts to do
> the following 9 uploads until the first has completed
>> Secure by default please!
>
> That's an easy epithet to throw around, but I disagree that it is
> appropriate here. "Security" doesn't mean "stops the user from making
> mistakes".
Look like wsgi, apache2 and django all on ubuntu PLACE no size limits
at all by default. Isn't that neat?
I think
On Mon, Aug 30, 2010 at 11:09 PM, dave b wrote:
>> I don't actually use Django so not 100% sure, but yes there possibly
>> isn't an equivalent of LimitRequestBody definable within Django unless
>> can be done with middleware.
>
> Ok so you don't even use django, ok...
> You
On Aug 31, 1:09 am, dave b wrote:
> /me rolls eyes.
> You have a valid point re /tmp, sorry I am used to mounting /tmp as
> /tmpfs - my mistake :)
> Ok lets be *really* clear the security problem still exists.
> An attack can in the limits set on the maximum post by the
/me rolls eyes.
You have a valid point re /tmp, sorry I am used to mounting /tmp as
/tmpfs - my mistake :)
Ok lets be *really* clear the security problem still exists.
An attack can in the limits set on the maximum post by the httpd /
module in use upload a large file.
> I don't actually use
On Aug 30, 1:54 pm, dave b wrote:
> On 30 August 2010 11:04, Russell Keith-Magee wrote:
>
>
>
>
>
> > On Sun, Aug 29, 2010 at 8:26 PM, dave b wrote:
> > 1) An actual problem where you can clearly describe the
On 30 August 2010 11:04, Russell Keith-Magee wrote:
> On Sun, Aug 29, 2010 at 8:26 PM, dave b wrote:
> 1) An actual problem where you can clearly describe the circumstances
> or sequence of events that would allow an attack to occur, and
> 2)
On Sun, Aug 29, 2010 at 8:26 PM, dave b wrote:
>> Anyway, since you have done your civic duty there's a good chance that a
>> fix will find its way into some future version. Thanks for being a good
>> citizen.
>
> Django is an awesome project and. However, a bug is a bug. I
On Aug 29, 9:43 pm, dave b wrote:
> > OK, so you don't believe the advice you are getting, which is that of
> > the many issues a Django sit will face this is a relatively low
> > probability attack. That's fair enough - a vulnerability is a
> > vulnerability, after all,
> Anyway, since you have done your civic duty there's a good chance that a
> fix will find its way into some future version. Thanks for being a good
> citizen.
Django is an awesome project and. However, a bug is a bug. I don't
care if it is a security bug or not, a bug *should* get fixed.
FYI: I
On 8/29/2010 8:07 AM, dave b wrote:
>> An attacker could also assemble a powerful explosive device and detonate
>> it near enough your hosting service to take your site down. What
>> counter-measures are you going to take against that?
>
> Good question. I have two cats and they like to lick
> An attacker could also assemble a powerful explosive device and detonate
> it near enough your hosting service to take your site down. What
> counter-measures are you going to take against that?
Good question. I have two cats and they like to lick people ^^
They are a bit friendly I guess. Do
On 8/29/2010 7:43 AM, dave b wrote:
>> OK, so you don't believe the advice you are getting, which is that of
>> the many issues a Django sit will face this is a relatively low
>> probability attack. That's fair enough - a vulnerability is a
>> vulnerability, after all, no matter how improbable,
> OK, so you don't believe the advice you are getting, which is that of
> the many issues a Django sit will face this is a relatively low
> probability attack. That's fair enough - a vulnerability is a
> vulnerability, after all, no matter how improbable, and not everyone
> will set up their
On 8/29/2010 12:05 AM, dave b wrote:
> On 29 August 2010 13:33, Graham Dumpleton wrote:
>>
>>
>> On Aug 29, 1:17 pm, dave b wrote:
>>> On 29 August 2010 08:28, Steve Holden wrote:
>>>
On 8/28/2010 6:10 PM, Graham
On 29 August 2010 13:33, Graham Dumpleton wrote:
>
>
> On Aug 29, 1:17 pm, dave b wrote:
>> On 29 August 2010 08:28, Steve Holden wrote:
>>
>> > On 8/28/2010 6:10 PM, Graham Dumpleton wrote:
>> >> On Aug 28, 11:21 pm, dave
On Aug 29, 1:17 pm, dave b wrote:
> On 29 August 2010 08:28, Steve Holden wrote:
>
> > On 8/28/2010 6:10 PM, Graham Dumpleton wrote:
> >> On Aug 28, 11:21 pm, dave b wrote:
> >> So obviously my proposed attack is to simply
On 29 August 2010 13:17, dave b wrote:
> On 29 August 2010 08:28, Steve Holden wrote:
>> On 8/28/2010 6:10 PM, Graham Dumpleton wrote:
>>> On Aug 28, 11:21 pm, dave b wrote:
>>> So obviously my proposed attack is to simply
On 29 August 2010 08:28, Steve Holden wrote:
> On 8/28/2010 6:10 PM, Graham Dumpleton wrote:
>> On Aug 28, 11:21 pm, dave b wrote:
>> So obviously my proposed attack is to simply say "content length is
>> tiny" and "this file is actually HUGE".
On 8/28/2010 6:10 PM, Graham Dumpleton wrote:
> On Aug 28, 11:21 pm, dave b wrote:
> So obviously my proposed attack is to simply say "content length is
> tiny" and "this file is actually HUGE".
[...]
> All up, I would suggest you are getting worked up over nothing.
On Aug 28, 11:21 pm, dave b wrote:
> >>> So obviously my proposed attack is to simply say "content length is
> >>> tiny" and "this file is actually HUGE".
> >>> I hope I missed something :) I don't really want this to occur ...
>
> >> A decent web server such as Apache
On 8/28/2010 9:50 AM, dave b wrote:
> On 28 August 2010 23:21, dave b wrote:
>> On 28 August 2010 23:09, dave b wrote:
[...]
>>> The documentation and code in django suggests that this is not the
>>> case. So lets assume we are not using apache but
On 28 August 2010 23:21, dave b wrote:
> On 28 August 2010 23:09, dave b wrote:
>> On 28 August 2010 22:46, Graham Dumpleton wrote:
>>>
>>>
>>> On Aug 28, 7:58 pm, "david b." wrote:
Ok so I
On 28 August 2010 23:09, dave b wrote:
> On 28 August 2010 22:46, Graham Dumpleton wrote:
>>
>>
>> On Aug 28, 7:58 pm, "david b." wrote:
>>> Ok so I was looking through the code and I saw this (in
>>>
On 28 August 2010 22:46, Graham Dumpleton wrote:
>
>
> On Aug 28, 7:58 pm, "david b." wrote:
>> Ok so I was looking through the code and I saw this (in
>> django/core/files/uploadhandler.py) :
>>
>> FileUploadHandler
>> ...
>>
>> def
On Aug 28, 7:58 pm, "david b." wrote:
> Ok so I was looking through the code and I saw this (in
> django/core/files/uploadhandler.py) :
>
> FileUploadHandler
> ...
>
> def new_file(self, field_name, file_name, content_type,
> content_length, charset=None):
> """
Ok so I was looking through the code and I saw this (in
django/core/files/uploadhandler.py) :
FileUploadHandler
...
def new_file(self, field_name, file_name, content_type,
content_length, charset=None):
"""
Signal that a new file has been started.
Warning: As with any
38 matches
Mail list logo