Security question: Can Django templates be used to execute arbitrary code on the server?

Is it safe to keep Django template strings inside a TextField of a Django model and allow users with staff privileges to edit them? I'm asking because I'm unsure how safe/dangerous this could be. Would it be possible to abuse a built-in templatetag to execute arbitrary code on the server?

Re: Security Question...

Ah, I see what you mean about sending things in plaintext over SSL. You're right, that would be a lot simpler. That said, I think I can handle the API keys with one model plus less than a dozen lines of verification code, so it's not a huge burden. I just don't have a whole lot of experience

Re: Security Question...

Yeah, I understand that the data doesn't need to be encrypted. I just agree with you that SSL would be ideal. If you had SSL, then I don't think you'd need to work as hard with the public/private key hashing stuff. If all the transmitted data was encrypted (SSL) you could just send a clear-text

Re: Security Question...

By app-level solution you mean some sort of custom encryption / decryption scheme for the data dictionaries? I'm still not convinced the data needs encryption -- I mean, it wouldn't hurt and in an ideal world I'd just push everything over SSL, but the worst thing that happens if someone gets

Re: Security Question...

It might be worth a try to see if the self-signed cert gets you into trouble or not. Some url libraries might complain about it, but I don't think that the behavior is universal. As I think about it, I think it is normally browsers that whine about self-signed certs. Maybe the other server

Re: Security Question...

Not a bad idea, actually, but the other site is on shared hosting, so I don't expect the host to be willing to add a self-signed cert as trusted. On May 24, 10:07 am, Alex Robbins wrote: > Just a thought, but if you are the only person using the url, you > could

Re: Security Question...

Just a thought, but if you are the only person using the url, you could make your own self-signed security cert. It would be free and protect your data. It won't show up as trusted to users, but your other server can be set to accept it. (Assuming the lack of ssl is a budget issue, that wouldn't

Security Question...

Hi folks -- I'm putting together a simple API to allow a separately-hosted but trusted site to perform a very limited set of actions on my site. I'm wondering whether the design I've come up with is reasonably secure: - Other site gets an API key, which is actually in two parts, public key and

Re: Security question

tually write to) that > application server. Now the security question arises. The proposal is > to have > - the webserver in a DMZ 1 > - the Django application server in a DMZ 2 > - our internal LAN as another network > Then we allow very limited requests from DMZ 1 into DMZ 2 and > to allow

Security question

Dear all, we are using Django as an application server. Now we want our website server to be able to read from (and eventually write to) that application server. Now the security question arises. The proposal is to have - the webserver in a DMZ 1 - the Django application server in a DMZ 2 - our