>> Anyway, since you have done your civic duty there's a good chance that a
>> fix will find its way into some future version. Thanks for being a good
>> citizen.
>
> Django is an awesome project and. However, a bug is a bug. I don't
> care if it is a security bug or not, a bug *should* get fixed.
>
> FYI: I sent this information originally to the django security contact
> email address as per the website.
> This is what I got back.
>
>
> "I'll be on vacation and offline until December 27th.
This is deeply concerning. This is the second time in very recent
memory that someone has said they've had difficulty getting through to
security@djangoproject.org.
I need to do some investigation to determine exactly what is going on
here. Allow me to assure you that we take security reports *very*
seriously, and if people are having problems contacting security@,
then this is a problem we need to solve as a very high priority.
As for the problem: At this point, I'm thoroughly confused about what
you're actually describing. In order for this to be something that
needs a fix, it needs to be:
1) An actual problem where you can clearly describe the circumstances
or sequence of events that would allow an attack to occur, and
2) Something that is actually Django's problem -- by which I mean,
something that is actually Django's responsibility to solve, rather
than something that is a webserver configuration issue.
At this point, it's not clear to me that either of these two things
are true. Based on your messages and the feedback from Graham and
Steve, it sounds like you're describing an attack that *could* exist,
but only if you've got a misconfigured (or badly implemented) web
server.
If you believe that I'm wrong, and there *is* an actual problem, you
need to convince us. This doesn't mean posting large wads of Django's
source code and proposed patches over multiple messages. It means
describing in clear, concise language exactly what conditions need to
exist for a problem to occur.
Yours,
Russ Magee %-)
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment