diff options
| author | Tim Graham <timograham@gmail.com> | 2014-12-09 15:32:03 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-01-13 13:02:56 -0500 |
| commit | 818e59a3f0fbadf6c447754d202d88df025f8f2a (patch) | |
| tree | 8f50f7bd7b1eb85c4f83e7366e510f6aa981ff68 /docs | |
| parent | de67dedc771ad2edec15c1d00c083a1a084e1e89 (diff) | |
[1.7.x] Prevented views.static.serve() from using large memory on large files.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.4.18.txt | 15 | ||||
| -rw-r--r-- | docs/releases/1.6.10.txt | 15 | ||||
| -rw-r--r-- | docs/releases/1.7.3.txt | 15 |
3 files changed, 45 insertions, 0 deletions
diff --git a/docs/releases/1.4.18.txt b/docs/releases/1.4.18.txt index 2da42533bd..7c431cfa5a 100644 --- a/docs/releases/1.4.18.txt +++ b/docs/releases/1.4.18.txt @@ -45,6 +45,21 @@ from a XSS attack. This bug doesn't affect Django currently, since we only put this URL into the ``Location`` response header and browsers seem to ignore JavaScript there. +Denial-of-service attack against ``django.views.static.serve`` +============================================================== + +In older versions of Django, the :func:`django.views.static.serve` view read +the files it served one line at a time. Therefore, a big file with no newlines +would result in memory usage equal to the size of that file. An attacker could +exploit this and launch a denial-of-service attack by simultaneously requesting +many large files. This view now reads the file in chunks to prevent large +memory usage. + +Note, however, that this view has always carried a warning that it is not +hardened for production use and should be used only as a development aid. Now +may be a good time to audit your project and serve your files in production +using a real front-end web server if you are not doing so. + Bugfixes ======== diff --git a/docs/releases/1.6.10.txt b/docs/releases/1.6.10.txt index 92b709d25d..20aa595b77 100644 --- a/docs/releases/1.6.10.txt +++ b/docs/releases/1.6.10.txt @@ -43,3 +43,18 @@ provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn't affect Django currently, since we only put this URL into the ``Location`` response header and browsers seem to ignore JavaScript there. + +Denial-of-service attack against ``django.views.static.serve`` +============================================================== + +In older versions of Django, the :func:`django.views.static.serve` view read +the files it served one line at a time. Therefore, a big file with no newlines +would result in memory usage equal to the size of that file. An attacker could +exploit this and launch a denial-of-service attack by simultaneously requesting +many large files. This view now reads the file in chunks to prevent large +memory usage. + +Note, however, that this view has always carried a warning that it is not +hardened for production use and should be used only as a development aid. Now +may be a good time to audit your project and serve your files in production +using a real front-end web server if you are not doing so. diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt index 0980c67d9d..2da43658f8 100644 --- a/docs/releases/1.7.3.txt +++ b/docs/releases/1.7.3.txt @@ -44,6 +44,21 @@ from a XSS attack. This bug doesn't affect Django currently, since we only put this URL into the ``Location`` response header and browsers seem to ignore JavaScript there. +Denial-of-service attack against ``django.views.static.serve`` +============================================================== + +In older versions of Django, the :func:`django.views.static.serve` view read +the files it served one line at a time. Therefore, a big file with no newlines +would result in memory usage equal to the size of that file. An attacker could +exploit this and launch a denial-of-service attack by simultaneously requesting +many large files. This view now reads the file in chunks to prevent large +memory usage. + +Note, however, that this view has always carried a warning that it is not +hardened for production use and should be used only as a development aid. Now +may be a good time to audit your project and serve your files in production +using a real front-end web server if you are not doing so. + Bugfixes ======== |
