> On Sun, Aug 29, 2010 at 8:26 PM, dave b <db.pub.mail@gmail.com> wrote:
> 1) An actual problem where you can clearly describe the circumstances
> or sequence of events that would allow an attack to occur, and
> 2) Something that is actually Django's problem -- by which I mean,
> something that is actually Django's responsibility to solve, rather
> than something that is a webserver configuration issue.
>
> At this point, it's not clear to me that either of these two things
> are true. Based on your messages and the feedback from Graham and
> Steve, it sounds like you're describing an attack that *could* exist,
> but only if you've got a misconfigured (or badly implemented) web
> server.
>
> If you believe that I'm wrong, and there *is* an actual problem, you
> need to convince us. This doesn't mean posting large wads of Django's
> source code and proposed patches over multiple messages. It means
> describing in clear, concise language exactly what conditions need to
> exist for a problem to occur.
>
> Yours,
> Russ Magee %-)
Morning. Will do so below here.
Just do remember, there is more than one way to run a httpd, some of
us run our own custom stuff ;) and not everyone is using a setup like
you have.
-------------------
Feature: Attacker crashes your django installation via file uploading
As attacker
I want to crash your django installation
To take your site down or reduce its availability, so I can steal the
underpants and then profit!!!!
Background:
Given I am an attacker
And you have uploads enabled with the default settings (memory and
temporary file).
And you are running on a platform with /tmp
Feature: I upload a 1gb file and have this go into system memory
Given I have a 1gb file
When I uploaded it to the website
Then I should see that your system now has used an additional 1gb of /tmp
And available system memory is now reduced
So basically I was saying there are two problems.
One is if the httpd isn't behaving properly(this is probably not
entirely true) with respect to the content length field and abusing
memory limitation.
The second issue is that there is no *default* set limit on temporary
file uploads, so any file larger than 2.5mb can find its way to /tmp
and there is no limit on the size of these files in django core.
That is there is no set limit on the size of a temporary file upload.
The second problem is going to exist within the bounds of the set
limits of the webserver and the various mods that are used with
django.
In an extreme and very unlikely case, the httpd may ungzip the data
from the attacker and modify the content length (when it knows what it
should be - the connection is terminated ) with django getting a large
amount of data to store from a much smaller user body request.
--
Let me take you a button-hole lower. -- William Shakespeare, "Love's
Labour's Lost"
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment