Hello Collin, > On 31 déc. 2015, at 23:44, Collin Anderson <cmawebs...@gmail.com> wrote: > > I feel like the insecure flag could get renamed to inefficient or something > like that.
This view is insecure for serving user-uploaded files, for reasons Florian hinted at. Browsers “helpfully” get a lot things wrong for legacy reasons. As a consequence, downloading a file is one of the most insecure things you can do in general. I can’t say for sure if it’s insecure for serving static files. I believe Django has some countermeasures against directory traversal attacks for example. However, since the code wasn’t written with security in mind from the beginning, rewriting it from a security perspective may be the most efficient way to make sure it’s secure. Best regards, -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/745A1E1A-AE02-410C-B2B1-705BC08378CC%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.