Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Small potential security issue: don't show version number by default in browsable API #3878

Closed
blag opened this issue Jan 27, 2016 · 4 comments
Labels
Milestone

Comments

@blag
Copy link
Contributor

blag commented Jan 27, 2016

I'm creating this issue simply to discuss this change. If this isn't the appropriate or the best place for this discussion, please feel free to close it.

The Santy worm spread worldwide within a mere three hours of its release. It found vulnerable instances of PHPBB by automatically googling for version strings of vulnerable versions - eg: "Powered by PHPBB v2.3.0".

Since the browsable API can be browsed by robots if users don't set their robots.txt up properly, we may want to consider not displaying the version string of DRF (eg: "Django REST framework v 3.3.2" - the bold part) in the rest_framework/base.html default template. Keeping the "Django REST framework" branding is fine, I'm just advocating for removing the DRF version string. This would prevent Santy-style discovery of vulnerable versions of DRF if there are other security flaws in DRF. This does not mean that DRF is currently vulnerable because it's showing its version, this change simply makes the worst case scenario less worse.

If users absolutely want the version string to be displayed they can simply override the rest_framework/base.html template to include <span class="version">{{ version }}</span>.

This change is small, it improves the security posture of DRF (by default), it has a very low likelihood of interfering with any existing use cases of DRF, and it is trivially reverted by users if it does end up interfering with their use case.

I'm of the opinion that the default settings for software should be reasonably secure, to decrease the amount of work users have to do to secure things down. This change is so small and easy that I think it is a reasonable change to make.

Note that this has absolutely nothing to do with API versioning - that's an entirely different and independent thing.

@tomchristie
Copy link
Member

I think that'd be a reasonable change, yup.

@ghost
Copy link

ghost commented Jan 29, 2016

Quoted from official site

If you believe you’ve found something in Django REST framework which has security implications, please do not raise the issue in a public forum.

Send a description of the issue via email to rest-framework-security@googlegroups.com. The project maintainers will then work with you to resolve any issues where required, prior to any public disclosure.

@xordoquy
Copy link
Collaborator

I think it's fine to leave the issue here since it is not a security issue in itself but rather a better default setting for DRF.

@blag
Copy link
Contributor Author

blag commented Jan 30, 2016

@vyscond: @xordoquy is correct, this isn't a security issue and public disclosure has pretty much nothing to do with this issue, so I didn't feel that was warranted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants