[1.7.x] Prevented views.static.serve() from using large memory on large files.

This is a security fix. Disclosure following shortly.
author: Tim Graham <timograham@gmail.com> 2014-12-09 15:32:03 -0500
committer: Tim Graham <timograham@gmail.com> 2015-01-13 13:02:56 -0500
commit: 818e59a3f0fbadf6c447754d202d88df025f8f2a (patch)
tree: 8f50f7bd7b1eb85c4f83e7366e510f6aa981ff68 /django/views/static.py
parent: de67dedc771ad2edec15c1d00c083a1a084e1e89 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/django/views/static.py b/django/views/static.py
index 68fb7c4654..0ce00a9963 100644
--- a/django/views/static.py
+++ b/django/views/static.py
@@ -17,6 +17,8 @@ from django.utils.http import http_date, parse_http_date
 from django.utils.six.moves.urllib.parse import unquote
 from django.utils.translation import ugettext as _, ugettext_lazy
 
+STREAM_CHUNK_SIZE = 4096
+
 
 def serve(request, path, document_root=None, show_indexes=False):
     """
@@ -61,7 +63,8 @@ def serve(request, path, document_root=None, show_indexes=False):
         return HttpResponseNotModified()
     content_type, encoding = mimetypes.guess_type(fullpath)
     content_type = content_type or 'application/octet-stream'
-    response = StreamingHttpResponse(open(fullpath, 'rb'),
+    f = open(fullpath, 'rb')
+    response = StreamingHttpResponse(iter(lambda: f.read(STREAM_CHUNK_SIZE), b''),
                                      content_type=content_type)
     response["Last-Modified"] = http_date(statobj.st_mtime)
     if stat.S_ISREG(statobj.st_mode):
author	Tim Graham <timograham@gmail.com>	2014-12-09 15:32:03 -0500
committer	Tim Graham <timograham@gmail.com>	2015-01-13 13:02:56 -0500
commit	818e59a3f0fbadf6c447754d202d88df025f8f2a (patch)
tree	8f50f7bd7b1eb85c4f83e7366e510f6aa981ff68 /django/views/static.py
parent	de67dedc771ad2edec15c1d00c083a1a084e1e89 (diff)