The Django Web - ce.sharif.educe.sharif.edu/~zarrabi/courses/2013/ce419/notes/django-8.pdfServing...
-
Upload
nguyencong -
Category
Documents
-
view
221 -
download
2
Transcript of The Django Web - ce.sharif.educe.sharif.edu/~zarrabi/courses/2013/ce419/notes/django-8.pdfServing...
Middleware
• It’s a light, low-level “plugin” system for globally altering Django’s input or output.
• Each middleware component is responsible for doing some specific function
• SessionMiddleware, AuthenticationMiddleware, etc.
�4
Middleware
• MIDDLEWARE_CLASSES in settings.py
• Order is important (dependencies, for example).
MIDDLEWARE_CLASSES = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware',)
�5
Default Middlewares
• CommonMiddleware
• GZipMiddleware
• LocaleMiddleware
• SessionMiddleware
• AuthenticationMiddleware
• CsrfViewMiddleware
�7
Basic File Uploads
from django import forms!class UploadFileForm(forms.Form): title = forms.CharField(max_length=50) file = forms.FileField()
<form method="post" enctype="multipart/form-data">!...</form>
Basic File Uploads
from django.http import HttpResponseRedirectfrom django.shortcuts import render_to_responsefrom myapp.forms import UploadFileForm!# Imaginary function to handle an uploaded file.from somewhere import handle_uploaded_file!def upload_file(request): if request.method == 'POST': form = UploadFileForm(request.POST, request.FILES) if form.is_valid(): handle_uploaded_file(request.FILES['file']) return HttpResponseRedirect('/success/url/') else: form = UploadFileForm() return render_to_response('upload.html', {'form': form})
Handling Uploaded File
def handle_uploaded_file(f): with open('some/file/name.txt', 'wb+') as destination: for chunk in f.chunks(): destination.write(chunk)
Files in Models
• models.FileField
!
• upload_to
• MEDIA_ROOT & MEDIA_URL
class models.FileField(upload_to=None[, max_length=100, **options])
Serving Static Files
• Websites generally need to serve additional files such as images, JavaScript, or CSS.
• Django provides django.contrib.staticfiles to help you manage them. 😊
Serving Static Files
1. Make sure that django.contrib.staticfiles is included in your INSTALLED_APPS.
2. In your settings file, define STATIC_URL.
!
4. Use {% static %} in your templates.
STATIC_URL = '/static/'
{% load staticfiles %}<img src="{% static "my_app/myexample.jpg" %}" alt="My image"/>
Serving Static Files
• Serving static files during development.
• Serving static files after deployment.
• STATIC_ROOT
• manage.py collectstatic
Common Attack Types
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• SQL Injection
• Clickjacking
• User-uploaded Contents
Cross Site Scripting
• XSS attacks allow a user to inject client side scripts into the browsers of other users.
• Usually achieved by storing the malicious scripts in the database.
• Let’s see an example.
Cross Site Scripting Protection
• Using Django templates protects you against the majority of XSS attacks.
• Django templates escape specific characters which are particularly dangerous to HTML.
• {% autoescape off %}
• You should also be very careful when storing HTML in the database, especially when that HTML is retrieved and displayed.
Cross Site Request Forgery (CSRF)
• Also known as one-click attack or session riding.
• CSRF attacks allow a malicious user to execute actions using the credentials of another user without that user’s knowledge or consent.
• Let’s see an example.
Cross Site Request Forgery
Eve: Hello Alice! Look here: <img src="http://bank.com/withdraw?account=Alice&amount=1000&for=Eve">
Cross Site Request Forgery
• Involve sites that rely on a user's identity.
• Exploit the site's trust in that identity.
• Trick the user's browser into sending HTTP requests to a target site.
• Involve HTTP requests that have side effects.
Cross Site Request Forgery Protection
• Django has built-in protection against most types of CSRF attacks.
• It’s enabled by default.
Cross Site Request Forgery Protection
<form method="post">{% csrf_token %}…</form>
<input type='hidden' name='csrfmiddlewaretoken' value='db6f662fc2ae5cc0e0823fb7e0331e79' />
How It Works?
1. A CSRF cookie that is set to a random value.
2. A hidden form field with the name ‘csrfmiddlewaretoken’ present in all outgoing POST forms.
3. For all incoming requests that are not using HTTP GET, HEAD, OPTIONS or TRACE, a CSRF cookie must be present, and the ‘csrfmiddlewaretoken’ field must be present and correct.
SQL Injection
• SQL injection is a type of attack where a malicious user is able to execute arbitrary SQL code on a database.
• Attacker can drop tables, delete data or access to unauthorized resources.
• Let’s see an example.
SQL Injection Protection
• By using Django’s querysets, the resulting SQL will be properly escaped by the underlying database driver.
• However, Django also gives developers power to write raw queries or execute custom sql.
• Be aware when you’re using this capabilities.
References
• https://docs.djangoproject.com/en/1.6/topics/http/middleware/
• https://docs.djangoproject.com/en/1.6/ref/middleware/
• https://docs.djangoproject.com/en/1.6/topics/http/file-uploads/
• https://docs.djangoproject.com/en/1.6/ref/contrib/staticfiles/
• https://docs.djangoproject.com/en/1.6/topics/security/
• https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/
• http://en.wikipedia.org/wiki/Cross-site_scripting
• http://en.wikipedia.org/wiki/CSRF