mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.6.x] Prevented views.static.serve() from using large memory on large files.

Browse Source 
This is a security fix. Disclosure following shortly.
This commit is contained in:
Tim Graham
2014-12-09 15:32:03 -05:00
parent 72e0b03366
commit 553779c405
5 changed files with 45 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/releases/1.4.18.txt
View File

@@ -45,6 +45,21 @@ from a XSS attack. This bug doesn't affect Django currently, since we only put
this URL into the ``Location`` response header and browsers seem to ignore
JavaScript there.
Denial-of-service attack against ``django.views.static.serve``
==============================================================
In older versions of Django, the :func:`django.views.static.serve` view read
the files it served one line at a time. Therefore, a big file with no newlines
would result in memory usage equal to the size of that file. An attacker could
exploit this and launch a denial-of-service attack by simultaneously requesting
many large files. This view now reads the file in chunks to prevent large
memory usage.
Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid. Now
may be a good time to audit your project and serve your files in production
using a real front-end web server if you are not doing so.
Bugfixes
========

15
docs/releases/1.6.10.txt
View File

@@ -43,3 +43,18 @@ provide safe redirect targets and put such a URL into a link, they could suffer
from a XSS attack. This bug doesn't affect Django currently, since we only put
this URL into the ``Location`` response header and browsers seem to ignore
JavaScript there.
Denial-of-service attack against ``django.views.static.serve``
==============================================================
In older versions of Django, the :func:`django.views.static.serve` view read
the files it served one line at a time. Therefore, a big file with no newlines
would result in memory usage equal to the size of that file. An attacker could
exploit this and launch a denial-of-service attack by simultaneously requesting
many large files. This view now reads the file in chunks to prevent large
memory usage.
Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid. Now
may be a good time to audit your project and serve your files in production
using a real front-end web server if you are not doing so.