Saturday, August 12, 2006

Django security.

I replied to a blog post by Jason Huggins on his blog asking for a web frame work evaluation check list. I listed a number of common security issues, and finished my post with:

"I can not see any python web frameworks that do not have a history of security problems. I also can not see one which was designed from the beginning with security in mind."

Then James Bennett (a Django contributor) asked about problems with Django specifically. Saying 'if there’s some long bounding history of security flaws in Django, I sure haven’t seen it'.

http://www.jrandolph.com/blog/?p=45

Unfortunately my reply seems to be caught up in the moderators queue, so I guess I'll have to put my answer below. A couple of posts after mine are there, so I am not sure why my post was not approved to be posted.

ps. since my post on the 11th of August I have reported four security issues to the django project. Not one has even been replied to. Not even with a simple response like 'I got your email, we are looking at it'. It's great having a policy, but if you don't follow it then what's the point?
UPDATE: Adrian has been notified, and is looking into it. There was a problem with the email alias.

Have fun!





# Rene Dudfield Says: Your comment is awaiting moderation.
August 11th, 2006 at 3:37 am

James. You’ve answered your question about the Django security history for me. I can not see a list of security incidents listed on the Django site. I think a good idea would be to list them on the front page in fairly large type. However those ones you mentioned are only a few months old, so I reckon there’s more problems.

For XSS you need to start with white listing, and go from there. There’s a bunch of good articles on the subject. Just escaping stuff is not enough.
http://www.iamcal.com/publish/articles/php/processing_html_part_2/

http://cr.yp.to/ is a good source of information about writing secure unix network software.

If you assume that user submitted content can not be cleaned, then is the system still secure? Feedparser, with 3000 unittests and heaps of high traffic sites still got it wrong.

Not only is Django itself not secure, but the pieces it is built on are not secure. Just search for apache, mod_python, and python security issues.

If you are sure about the current state of Django then maybe put up an offer for $1000 if no holes are found ;) I’ll give you $1000 if Django makes it through the next year without a hole found.

Jason. I’m not sure of a web framework which has security considered in the design from the start. It’s really good that the ruby developers have started to put an emphasis on it. I’m going to take this oportunity to evaluate my own security short comings, and I’m glad that others are too.

9 comments:

Adrian Holovaty said...

Hey, could you send your e-mails to security@djangoproject.com again? Looks like I was inadvertently removed from the security e-mail alias. Jacob (other Django dev) got it, but he's off-line this weekend. I've e-mailed you personally but wanted to post a comment here to make sure you saw my request. Thanks!

illume said...

Thanks Adrian. They've been sent through again.

jason huggins said...

Rene, I just approved your comment on my blog. Since it's the weekend, I was slow on checking for those things. Sorry about that! Regarding your comments, yup... policy is one thing, execution of policy is another thing... I'll add "security track record" as item #2 on my web framework checklist. :-)

jason huggins said...

Regarding: "A couple of posts after mine are there, so I am not sure why my post was not approved to be posted." -- I don't know either... perhaps there's a hidden 'no more than "x" posts allowed in a day' setting that was triggered. Again, sorry about that...

illume said...

Thanks Jason.

Capn Sensible said...

Hi. Don't know if you noticed but you're Google #1 for "django security". Which is unfortunate because I didn't find any useful information here. You said "for XSS you need to start with white listing" and "just escaping stuff is not enough."

I'd say that if you're HTML-escaping user data on output (which I think is what you mean) then you're preventing users from adding any HTML and therefore XSS isn't a concern. And if you operate a public site with potentially untrusted contributors and need to allow them to apply formatting to their contributions, HTML is not an appropriate way to do so. The link you posted to a PHP page surely just perpetuates this PHP-think approach which has resulted in so many PHP app security problems in the past?

I guess I'm hoping you'd either provide some more useful information on genuine django security problems, or self-moderate what you've written here.

Regards
Alex Francis

illume said...

Hi Alex,

I don't control how google works.

I am going to provide more information for this one year old post.

Django is still beta software and not finished. Things improve all the time. However I don't think it was designed with security in mind. It favours ease of use over security in some ways (eg html escaping). The level of security needed by many websites may be fine for what Django does. There are some security issues that Django solves - which some other web frame works do not.

If the Django developers wanted to post their security issues, or
devote a web page to them, then they'd probably be listed higher on
google. Django still doesn't have a 'security' link or section on their front page.

Also if someone else did an analysis of Django security then they would also be listed higher... and someone could post a link to that.

Read the post that my post refers to. One of my points was the lack of information about Django security issues. In the past year that could have improved.

If you can prove something I have said is wrong, then I'll update the
page. Otherwise it will just remain a blog post for histories record.

Your ideas on XSS escaping need some more research I think.

"I'd say that if you're HTML-escaping user data on output (which I
think is what you mean) then you're preventing users from adding any
HTML and therefore XSS isn't a concern"

Here are some of the best resources of information about XSS. There you will find some best practises - which are not just html escaping everything.
http://en.wikipedia.org/wiki/XSS
http://shiflett.org/articles/foiling-cross-site-attacks

No where does it say on those pages that merely escaping html will prevent XSS issues.

Django does not use a secure by default design of escaping for html. Neither does it have a test suite passing all of the available known XSS exploits.

Here's the list with lots of XSS exploits on it - which can be used to test if XSS prevention techniques work:
http://ha.ckers.org/xss.html

Note at the time I originally wrote this even the Django webpage itself had at least one XSS problem. I pointed it out to Adrian, and he fixed it. No disclosure was needed apparently.

Here's the beta of the Django book (written by Django developers) it has a security section! Lots of information in there:
http://www.djangobook.com/en/beta/chapter20/

Note that in that book the authors admit "First, though, an important disclaimer: we’re in no way experts in this realm". Neither do they claim 'security' as a feature on the front of their web page.

After I wrote this original post I started to look through Django for security issues. I think the authors were busy, or just tired of talking with me - as emails went unanswered. Some issues were addressed, but others ignored, or denied. So rather than waste my time, I decided not to help find any more or to try and explain any issues. Why should I try and help people who ignore my emails? Adrian is a busy man, so he probably didn't have time to respond to me. He did answer many of them - just not all.

Note that since then there have been security issues which have not been publicly disclosed in the manner on their 'How to report security issues' page says. Well, if you don't count subversion logs as disclosure - then that has been done.

As I said earlier, Django does not profess to be secure by design. It does not list security as one of its features. The authors claim not to be experts in security. I have also shown there have been a history of security flaws in Django. Also Django is beta software, and improving all the time. Why would beta software be secure?

Django has many strengths, but I don't think it'd be a wise choice for something that required high security.

If you want to find reported Django security issues, don't go to the front of the Django website - there's no security information there. Search Trac, the mailing lists, blogs and subversion, as well as use google to search. There is now a django announce mailing list where security issues are supposed to be announced too.

Ok, I hope that's enough information. I'm glad to help the Django community looking for security information on Django. That's another couple of hours I've spent on it.


ps. I think Django is probably better than a lot of web frame works out there in terms of security. Better than many I've seen.

Capn Sensible said...

Hi illume - thanks for such a helpful and thorough response on an admittedly old post, I'll get reading as no doubt will others who find this page the same way I did.

Alex Francis

Wes Pearce said...

"Not only is Django itself not secure, but the pieces it is built on are not secure. Just search for apache, mod_python, and python security issues."

Because you have to use apache and mod_python right?

idiot.