Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added a warning regarding risks in serving user uploaded media.

Thanks Preston Holmes for the draft text.
  • Loading branch information...
commit df6760f12c2f08287e2aa7b5ddee6e567ab83220 1 parent 041a076
Tim Graham timgraham authored
6 docs/ref/settings.txt
View
@@ -1483,6 +1483,12 @@ Example: ``"http://media.example.com/"``
.. warning::
+ There are security risks if you are accepting uploaded content from
+ untrusted users! See the security guide's topic on
+ :ref:`user-uploaded-content-security` for mitigation details.
+
+.. warning::
+
:setting:`MEDIA_URL` and :setting:`STATIC_URL` must have different
values. See :setting:`MEDIA_ROOT` for more details.
6 docs/topics/http/file-uploads.txt
View
@@ -10,6 +10,12 @@ When Django handles a file upload, the file data ends up placed in
</ref/request-response>`). This document explains how files are stored on disk
and in memory, and how to customize the default behavior.
+.. warning::
+
+ There are security risks if you are accepting uploaded content from
+ untrusted users! See the security guide's topic on
+ :ref:`user-uploaded-content-security` for mitigation details.
+
Basic file uploads
==================
50 docs/topics/security.txt
View
@@ -203,6 +203,52 @@ be deployed such that untrusted users don't have access to any subdomains,
:mod:`django.contrib.sessions` also has limitations. See :ref:`the session
topic guide section on security <topics-session-security>` for details.
+.. _user-uploaded-content-security:
+
+User-uploaded content
+=====================
+
+.. note::
+ Consider :ref:`serving static files from a cloud service or CDN
+ <staticfiles-from-cdn>` to avoid some of these issues.
+
+* If your site accepts file uploads, it is strongly advised that you limit
+ these uploads in your Web server configuration to a reasonable
+ size in order to prevent denial of service (DOS) attacks. In Apache, this
+ can be easily set using the LimitRequestBody_ directive.
+
+* If you are serving your own static files, be sure that handlers like Apache's
+ ``mod_php``, which would execute static files as code, are disabled. You don't
+ want users to be able to execute arbitrary code by uploading and requesting a
+ specially crafted file.
+
+* Django's media upload handling poses some vulnerabilities when that media is
+ served in ways that do not follow security best practices. Specifically, an
+ HTML file can be uploaded as an image if that file contains a valid PNG
+ header followed by malicious HTML. This file will pass verification of the
+ libraries that Django uses for :class:`~django.db.models.ImageField` image
+ processing (PIL or Pillow). When this file is subsequently displayed to a
+ user, it may be displayed as HTML depending on the type and configuration of
+ your web server.
+
+ No bulletproof technical solution exists at the framework level to safely
+ validate all user uploaded file content, however, there are some other steps
+ you can take to mitigate these attacks:
+
+ 1. One class of attacks can be prevented by always serving user uploaded
+ content from a distinct Top Level Domain (TLD). This prevents any
+ exploit blocked by `same-origin policy`_ protections such as cross site
+ scripting. For example, if your site runs on ``example.com``, you would
+ want to serve uploaded content (the :setting:`MEDIA_URL` setting) from
+ something like ``usercontent-example.com``. It's *not* sufficient to
+ serve content from a subdomain like ``usercontent.example.com``.
+
+ 2. Beyond this, applications may choose to define a whitelist of allowable
+ file extensions for user uploaded files and configure the web server
+ to only serve such files.
+
+.. _same-origin policy: http://en.wikipedia.org/wiki/Same-origin_policy
+
.. _additional-security-topics:
Additional security topics
@@ -219,10 +265,6 @@ security protection of the Web server, operating system and other components.
* Django does not throttle requests to authenticate users. To protect against
brute-force attacks against the authentication system, you may consider
deploying a Django plugin or Web server module to throttle these requests.
-* If your site accepts file uploads, it is strongly advised that you limit
- these uploads in your Web server configuration to a reasonable
- size in order to prevent denial of service (DOS) attacks. In Apache, this
- can be easily set using the LimitRequestBody_ directive.
* Keep your :setting:`SECRET_KEY` a secret.
* It is a good idea to limit the accessibility of your caching system and
database using a firewall.
Please sign in to comment.
Something went wrong with that request. Please try again.