Changes between Initial Version and Version 1 of Ticket #35900


Ignore:
Timestamp:
Nov 9, 2024, 10:10:26 AM (6 weeks ago)
Author:
Sebastian Pipping
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #35900

    • Property Summary staticfiles: Make staticfiles.json location unguessable for security (by obscurity!).staticfiles: Make staticfiles.json location unguessable for security (by obscurity!)
  • Ticket #35900 – Description

    initial v1  
    33An attacker searching for a way to attack a specific Django setup can check URL `/static/staticfiles.json` and use its content to first derive used dependencies (potentially down to a specific version) to then derive attack vectors based on that information.
    44
    5 A fix would be to not use guessable name `staticfiles.json` by default but to include some entropy in that filename a la `staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json` e.g. based on `settings.SECRET_KEY` so that `ManifestFilesMixin.manifest_name` content remains stable across all Python processes.  The "by default" is key here, because most users of Django do not seem to consider the security implications of serving file `staticfiles.json` to attackers, I keep finding these files in the wild. Yes, security by obscurity is never enough in isolation, but it does make attacking harder in practice.
     5A fix would be to not use guessable name `staticfiles.json` by default but to include some entropy in that filename a la `staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json` e.g. derived from `settings.SECRET_KEY` so that `ManifestFilesMixin.manifest_name` content remains stable across all Python processes.  The "by default" is key here, because most users of Django do not seem to consider the security implications of serving file `staticfiles.json` to attackers, I keep finding these files in the wild. Yes, security by obscurity is never enough in isolation, but it does make attacking harder in practice. All but one operators have decided to unpublish that file when I contacted them about this issue with their setup so far.
    66
    77Pull request 18778 (https://github.com/django/django/pull/18778) demos one way how the situation could be improved in a backwards-compatible way by default and for everyone.
Back to Top