I replied to a blog post by Jason Huggins on his blog asking for a web frame work evaluation check list. I listed a number of common security issues, and finished my post with:
"I can not see any python web frameworks that do not have a history of security problems. I also can not see one which was designed from the beginning with security in mind."
Then James Bennett (a Django contributor) asked about problems with Django specifically. Saying 'if there’s some long bounding history of security flaws in Django, I sure haven’t seen it'.
Unfortunately my reply seems to be caught up in the moderators queue, so I guess I'll have to put my answer below. A couple of posts after mine are there, so I am not sure why my post was not approved to be posted.
ps. since my post on the 11th of August I have reported four security issues to the django project. Not one has even been replied to. Not even with a simple response like 'I got your email, we are looking at it'. It's great having a policy, but if you don't follow it then what's the point?
UPDATE: Adrian has been notified, and is looking into it. There was a problem with the email alias.
# Rene Dudfield Says: Your comment is awaiting moderation.
August 11th, 2006 at 3:37 am
James. You’ve answered your question about the Django security history for me. I can not see a list of security incidents listed on the Django site. I think a good idea would be to list them on the front page in fairly large type. However those ones you mentioned are only a few months old, so I reckon there’s more problems.
For XSS you need to start with white listing, and go from there. There’s a bunch of good articles on the subject. Just escaping stuff is not enough.
http://cr.yp.to/ is a good source of information about writing secure unix network software.
If you assume that user submitted content can not be cleaned, then is the system still secure? Feedparser, with 3000 unittests and heaps of high traffic sites still got it wrong.
Not only is Django itself not secure, but the pieces it is built on are not secure. Just search for apache, mod_python, and python security issues.
If you are sure about the current state of Django then maybe put up an offer for $1000 if no holes are found ;) I’ll give you $1000 if Django makes it through the next year without a hole found.
Jason. I’m not sure of a web framework which has security considered in the design from the start. It’s really good that the ruby developers have started to put an emphasis on it. I’m going to take this oportunity to evaluate my own security short comings, and I’m glad that others are too.