Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
According to Django document: “it was common to place static assets in MEDIA_ROOT along with user-uploaded files, and serve them both at MEDIA_URL. “
Does that mean everyone could access other people’s uploaded files?
Isn’t it unsafe?
To answer your question: yes, this would allow everyone to access everybody’s uploaded files. And yes, this is a security risk.
As a general rule, sensitive files should never be served directly from the filesystem. As another rule, all files should be considered sensitive unless explicitly marked otherwise.
The origin of the
MEDIA_ROOTandMEDIA_URLsettings probably lie in Django’s history as a publishing platform. After all, your editors probably won’t mind if the pictures they add to articles can easily be found. But then again, pictures accompanying an article are usually non-sensitive.To expand on your question: sensitive files should always be placed in a directory that is not directly accessible by the web server. Requesting those files should only be done through a view class or function, which can do some sensible access checking before serving the file.
Also, do not rely on obfuscation for sensitive files. For example, let’s use Paulo’s example (see other answer) to obfuscate photo albums. Now my pictures are stored like
MEDIA_URL/A8FEB0993BED/P100001.JPG. If I share this link with someone else, they can easily try URLs likeMEDIA_URL/A8FEB0993BED/P710032.JPG, basically allowing them to brute-force my entire photo album.