>> An attacker could also assemble a powerful explosive device and detonate
>> it near enough your hosting service to take your site down. What
>> counter-measures are you going to take against that?
>
> Good question. I have two cats and they like to lick people ^^
> They are a bit friendly I guess. Do you think I can train them to
> pounce on strangers?
>
>
>> You perhaps feel people aren't taking your proposal seriously enough.
>> The fact of the matter is that security is never absolute, and on a
>> threat scale of 0 to 10 this issue comes in at about 1.7. If you are
>> running a professional service and you are monitoring it correctly then
>> you ought to notice an attack of this nature before it does too much damage.
>
> Look I send you guys an email, I send a patch for one of the problems
> and point out the second one. I just can't make you guys happy can I ?
>
> http://cwe.mitre.org/top25/
> [22] 145 CWE-770 Allocation of Resources Without Limits or Throttling
> http://cwe.mitre.org/top25/#CWE-770
> But ok if you say so ;)
> I wonder how much ram most django commonly found django installations
> that allow file upload on the internet have? now remember a lot of
> those have a fairly fast download and upload ;)
> bonus points if they have mod_deflate decompressing the user body request ;)
>
>> I repeat, you may be correct in treating this as a vulnerability, but
>> your estimate of its seriousness appears to disagree with that of
>> others. If you want to have your code seriously considered for inclusion
>> (and why not?) you should raise it in the Django issue tracker - see
>> "Reporting Bugs" in
>
> I did as I was suggested to do so :)
> Some one first told me on irc in #django that I should raise it here first :)
>
> Please see http://code.djangoproject.com/ticket/14192
That's cool. Sorry I nagged you unnecessarily. Yes, it might be a
problem. But you'll notice it's #22 on a list of 25 ...
Anyway, since you have done your civic duty there's a good chance that a
fix will find its way into some future version. Thanks for being a good
citizen.
regards
Steve
--
DjangoCon US 2010 September 7-9 http://djangocon.us/
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment