为什么提供静态文件不安全
Why is serving static files insecure
这可能是一个愚蠢的问题并且有一个明显的答案,但我正在测试我的 404 和 500 错误处理程序,这意味着我必须将调试切换为 False。我去了 Django 管理页面,发现没有提供静态文件。
我知道它们应该通过 Apache 路由,因为通过 Django 提供静态文件是不安全的。但是,我不太明白为什么直接通过 Django 提供静态文件存在安全风险?
以下是 Django 1.8 文档中关于该主题的内容:
--insecure
Use the --insecure option to force serving of static files with the staticfiles app even if the DEBUG setting is False. By using this you acknowledge the fact that it’s grossly inefficient and probably insecure. This is only intended for local development, should never be used in production and is only available if the staticfiles app is in your project’s INSTALLED_APPS setting.
如您所见,他们说“效率极低”和“可能不安全”。他们没有说“绝对不安全”或“不安全”。我认为他们暗示的是他们没有对 staticfiles 应用程序及其与 Django 其余部分的交互进行彻底的安全分析。
对我来说,“非常低效”的部分应该足以阻止您提供静态内容。要做得更好很容易...从 collectstatic 命令开始。
我进行了更多搜索后找到了这个 Google 群组发帖,以回应有人询问 --insecure 为什么不安全。
From: Malcolm Tredinnick
Nothing can be considered secure unless it is designed and audited for
security. We have done neither with the static file server. It may not
have existing security holes, but it should not be considered secure
because that's not a design goal.
For example, a secure file server would need to check for resource
allocation problems so that serving a very large file didn't constitute
a denial-of-service attack. That requires a lot of extra code and
pipeline management which isn't worth putting into something that's just
for development purposes.
...这支持我的解释。
这可能是一个愚蠢的问题并且有一个明显的答案,但我正在测试我的 404 和 500 错误处理程序,这意味着我必须将调试切换为 False。我去了 Django 管理页面,发现没有提供静态文件。
我知道它们应该通过 Apache 路由,因为通过 Django 提供静态文件是不安全的。但是,我不太明白为什么直接通过 Django 提供静态文件存在安全风险?
以下是 Django 1.8 文档中关于该主题的内容:
--insecure
Use the
--insecureoption to force serving of static files with the staticfiles app even if theDEBUGsetting isFalse. By using this you acknowledge the fact that it’s grossly inefficient and probably insecure. This is only intended for local development, should never be used in production and is only available if thestaticfilesapp is in your project’sINSTALLED_APPSsetting.
如您所见,他们说“效率极低”和“可能不安全”。他们没有说“绝对不安全”或“不安全”。我认为他们暗示的是他们没有对 staticfiles 应用程序及其与 Django 其余部分的交互进行彻底的安全分析。
对我来说,“非常低效”的部分应该足以阻止您提供静态内容。要做得更好很容易...从 collectstatic 命令开始。
我进行了更多搜索后找到了这个 Google 群组发帖,以回应有人询问 --insecure 为什么不安全。
From: Malcolm Tredinnick
Nothing can be considered secure unless it is designed and audited for security. We have done neither with the static file server. It may not have existing security holes, but it should not be considered secure because that's not a design goal.
For example, a secure file server would need to check for resource allocation problems so that serving a very large file didn't constitute a denial-of-service attack. That requires a lot of extra code and pipeline management which isn't worth putting into something that's just for development purposes.
...这支持我的解释。