Summary: In the default setup of wsgi, apache and django (at least on ubuntu and debian) by default there are no limits on the size of a file that an attacker can upload. http://cwe.mitre.org/top25/#CWE-770 and see example 2 at http://cwe.mitre.org/data/definitions/770.html Vendor response: " If you have your Apache install configured to accept arbitrarily sized uploads, your Apache install will accept arbitrarily sized uploads. This should not be surprising behavior. If Debian or Ubuntu are packaging Apache with this as the default behavior, that's an issue for Debian and Ubuntu to manage. This doesn't make *Django* insecure -- it makes the default install of *Apache* insecure on those platforms. *Any* application deployed using *any* framework would be subject to the same attack. And the attack can be completely avoided by correctly configuring Apache. And, for the record, the fact that Ubuntu or Debian have chosen these defaults doesn't make Apache insecure either. System defaults exist to make it easy and obvious to get something started. A responsible sysadmin for a public-facing webserver shouldn't be using *any* OS-provided defaults without auditing them. To aid that process, the Django project is in a position to describe the sorts of issues that a sysadmin should watch out for; hence, documenting deployment-related security issues such as this one is in scope. However, at the end of the day, as Graham and I have *repeatedly* told you -- this is an issue that should be caught at the webserver, not at the application level. Even if we weren't talking about duplicating functionality (and we are), there are both practical and technical reasons why it is inappropriate for Django to implement file-upload size restrictions. This problem can be avoided with appropriate configuration of your web server, and therefore should be. " -- Alas, how love can trifle with itself! -- William Shakespeare, "The Two Gentlemen of Verona"
