mirror of
https://github.com/django/django.git
synced 2025-10-24 14:16:09 +00:00
[5.2.x] Added security guideline on reasonable size limitations when rendering content via the DTL.
This also removes the need to add warnings for every Django template filter.
Backport of 582ba18d56
from main.
This commit is contained in:
@@ -168,6 +168,32 @@ Django contains many private and undocumented functions that are not part of
|
||||
its public API. If a vulnerability depends on directly calling these internal
|
||||
functions in an unsafe way, it will not be considered a valid security issue.
|
||||
|
||||
Content displayed by the Django Template Language must be under 100 KB
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The Django Template Language (DTL) is designed for building the content needed
|
||||
to display web pages. In particular its text filters are meant for that kind of
|
||||
usage.
|
||||
|
||||
For reference, the complete works of Shakespeare have about 3.5 million bytes
|
||||
in plain-text ASCII encoding. Displaying such in a single request is beyond the
|
||||
scope of almost all websites, and so outside the scope of the DTL too.
|
||||
|
||||
Text processing is expensive. Django makes no guarantee that DTL text filters
|
||||
are never subject to degraded performance if passed deliberately crafted,
|
||||
sufficiently large inputs. Under default configurations, Django makes it
|
||||
difficult for sites to accidentally accept such payloads from untrusted
|
||||
sources, but, if it is necessary to display large amounts of user-provided
|
||||
content, it’s important that basic security measures are taken.
|
||||
|
||||
User-provided content should always be constrained to known maximum length. It
|
||||
should be filtered to remove malicious content, and validated to match expected
|
||||
formats. It should then be processed offline, if necessary, before being
|
||||
displayed.
|
||||
|
||||
Proof of concepts which use over 100 KB of data to be processed by the DTL will
|
||||
be considered invalid.
|
||||
|
||||
.. _security-report-evaluation:
|
||||
|
||||
How does Django evaluate a report
|
||||
|
Reference in New Issue
Block a user