Like in php, include() method and allow_url_include can be vulnerable to LFI and RFI.
Does django's include is vulnerable to lfi and RFI?
Asked
Active
Viewed 1,776 times
2
Prags
- 2,457
- 2
- 21
- 38
lunatic955
- 31
- 5
1 Answers
2
Not unless you mess with the default template loaders. Django doesn't let you include files located outside of the application's templates folders and does its best to prevent you from touching external files using built-in operations.
As a general rule of thumb, it doesn't hurt to keep your application code completely isolated from the path where a user can upload files and to sanitize and reduce user-provided input's interactions with potentially dangerous functions.
Blender
- 289,723
- 53
- 439
- 496
-
so in short django can be secure from lfi and rfi?? – lunatic955 Dec 28 '18 at 06:42
-
or there could be other methods in django which are vulnerable to lfi and rfi? – lunatic955 Dec 28 '18 at 06:44
-
@PritamSalunkhe: Django (as with just about every other web stack) is flexible enough to easily permit you to write your own file inclusion vulnerability. Your question is hard to definitively answer because there are many ways to use Django and Python dangerously, but it will not be as simple as `include($_GET['query'] . '.php')` if you avoid the clearly dangerous patterns. – Blender Dec 28 '18 at 07:01
-
Can you give an example of how I can use django methods which can lead to file inclusion – lunatic955 Jan 28 '19 at 04:15