[Django] #35900: staticfiles: Make staticfiles.json location unguessable for security (by obscurity!).

Sat, 09 Nov 2024 08:03:21 -0800 

#35900: staticfiles: Make staticfiles.json location unguessable for security (by
obscurity!).
-------------------------------------+-------------------------------------
     Reporter:  Sebastian Pipping    |                     Type:
                                     |  Uncategorized
       Status:  new                  |                Component:
                                     |  contrib.staticfiles
      Version:  dev                  |                 Severity:  Normal
     Keywords:  staticfiles          |             Triage Stage:
  security hardening                 |  Unreviewed
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 Hi!

 An attacker searching for a way to attack a specific Django setup can
 check URL `/static/staticfiles.json` and use its content to first derive
 used dependencies (potentially down to a specific version) to then derive
 attack vectors based on that information.

 A fix would be to not use guessable name `staticfiles.json` by default but
 to include some entropy in that filename a la
 `staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json` e.g. based on
 `settings.SECRET_KEY` so that `ManifestFilesMixin.manifest_name` content
 remains stable across all Python processes.  The "by default" is key here,
 because most users of Django do not seem to consider the security
 implications of serving file `staticfiles.json` to attackers, I keep
 finding these files in the wild. Yes, security by obscurity is never
 enough in isolation, but it does make attacking harder in practice.

 Pull request 18778 (https://github.com/django/django/pull/18778) demos one
 way how the situation could be improved in a backwards-compatible way by
 default and for everyone.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35900>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019311aa4bf5-a1879536-5f24-4055-aae6-e744634ffc43-000000%40eu-central-1.amazonses.com.

Reply via email to