On Thursday, January 5, 2017 at 11:14:08 PM UTC+1, Josh Smeaton wrote: > > > I am -0 to -1 for the debugger -- I've seen to many sites out there > running with DEBUG=True, enabling RCE ootb seems to be pretty horrible. > > But it's so incredibly useful. And we already show the django debug page > for errors with DEBUG=True that exposes enough secrets to allow a > sufficient attacker to gain access. >
What exactly? Last time I checked SECRET_KEY and other dangerous stuff was blanked out as good as possible. Do not get me wrong, it is certainly not "safe" to show the debug page, but leaking information versus RCE is a different story… Even if the debug page leaks enough information to login as admin, you do not neccessarily compromise the OS, whereas the werkzeug debugger gives you at least user access to the OS. And truth to be told, I can count the instance where the werkzeug debugger would have been useful on one hand -- the traces are usually more than enough. > If we could, by default, block the debugger in a similar way that django > debug toolbar does, would that be appropriate? That is, checks for DEBUG > and HOST etc? > I am not deploying debug toolbar anywhere, so I cannot tell. That said, people have DEBUG=True etc in prod, if we open those installations for RCE, that would still suck (defense in depth and everything). Also https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ -- even though it is old, it is a nice sign that it happens… Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/91eb120a-e777-4bbe-ad63-345d6983cfba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
