On 8/29/2010 7:43 AM, dave b wrote:
>> OK, so you don't believe the advice you are getting, which is that of
>> the many issues a Django sit will face this is a relatively low
>> probability attack. That's fair enough - a vulnerability is a
>> vulnerability, after all, no matter how improbable, and not everyone
>> will set up their production systems to be correctly protected by a
>> front-end server.
>>
>> If you really want to see this in Django you would be better advised to
>> post it in the issue tracker, where it will not get lost.
>>
>>
>
> Ok I will do this :-)
>
> Sure Also, Wow gmail is a horrible email client. I am so used to $else.
> The patch I included in my previous email should not break any *real*
> clients, only evil ones(potentially).
>
> As I understand it an attacker can abuse gzip user requests, if
> mod_deflate is enabled (AND configured to decompress incoming user
> requests - this is not the default) in apache2 with a user gziped
> request body.
>
> So an attack could do effectively have a file like this:
>
> f = open("rar", "w")
> string = ""
> for i in range(0, 10000000):
> string += " " + "1"
> f.write(string)
> f.close()
>
> ls -lah 20M 2010-08-29 17:15 rar
>
> (except replace write with append and do it a lot more ;) ) and then
> send it gziped as in the request body.
>
> Just for fun ;)
> gzip rar
> ls -lah 19K 2010-08-29 17:15 rar.gz
>
> So django will receive the original 20M file (as the httpd has
> uncompressed it for django ) afaik.
>
> see Input Decompression at
> http://httpd.apache.org/docs/2.0/mod/mod_deflate.html
An attacker could also assemble a powerful explosive device and detonate
it near enough your hosting service to take your site down. What
counter-measures are you going to take against that?
You perhaps feel people aren't taking your proposal seriously enough.
The fact of the matter is that security is never absolute, and on a
threat scale of 0 to 10 this issue comes in at about 1.7. If you are
running a professional service and you are monitoring it correctly then
you ought to notice an attack of this nature before it does too much damage.
I repeat, you may be correct in treating this as a vulnerability, but
your estimate of its seriousness appears to disagree with that of
others. If you want to have your code seriously considered for inclusion
(and why not?) you should raise it in the Django issue tracker - see
"Reporting Bugs" in
http://docs.djangoproject.com/en/1.2/internals/contributing/
regards
Steve
--
DjangoCon US 2010 September 7-9 http://djangocon.us/
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
