Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
According to the Documentation using the django.views.static.server() function is:
inefficient and insecure.
I understand why it’s inefficient, but in which aspect is it insecure?
It’s as insecure as the Django test server itself, for starters, like the above answer said — that is, it’s not tested for any sort of security the way a “production-ready” server like CherryPy would be. As a result, there could be all sorts of lurking security issues with users accessing files they shouldn’t be able to; while these are generally fixed they’re not considered “priority” as they would be with a production server, and no one’s really banging on it looking for these things.
Furthermore, see this summer’s Django security update that fixed a situation where a maliciously-crafted URL could give a visitor access to any file the Django user could see, even if it wasn’t under the static root. It’s fixed, but should give you an idea about why you should use a Real Server in production settings.