Separate handling of protected media in Django, with X-Sendfile support

Overview

Build Status

Django Protected Media

Django Protected Media is a Django app that manages media that are considered sensitive in a protected fashion.

Not only does the media get stored in a separate filesystem location, but authorisation is also required to access it.

The application allows for setups where Django performs the authorisation, but hands off the serving of the file to a web server, like Nginx.

Quick start

  1. Add "protected_media" to your INSTALLED_APPS setting like this:
INSTALLED_APPS = [
    ...
    'protected_media.apps.ProtectedMediaConfig',
]
  1. Include the URLconf in your project urls.py like this::
path('protected/', include('protected_media.urls')),
  1. Add the following settings to settings.py if the defaults need to be tweaked:
PROTECTED_MEDIA_ROOT = "%s/protected/" % BASE_DIR
PROTECTED_MEDIA_URL = "/protected"
PROTECTED_MEDIA_SERVER = "nginx"  # Defaults to "django"
PROTECTED_MEDIA_LOCATION_PREFIX = "/internal"  # Prefix used in nginx config
PROTECTED_MEDIA_AS_DOWNLOADS = False  # Controls inclusion of a Content-Disposition header
  1. Use the new field classes in your models:
from protected_media.models import ProtectedImageField, ProtectedFileField

def SomeModel(models.Model):
    document = ProtectedFileField(upload_to="uploads/")
    picture = ProtectedImageField(upload_to="uploads/")
    # Files will be stored under PROTECTED_MEDIA_ROOT + upload_to

Overview

Django manages media based on the following definitions:

BASE_DIR = "/some/application/dir/"
MEDIA_ROOT = "%s/media/" % BASE_DIR
MEDIA_URL = "/media/"

File- and image fields are typically defined as:

document = models.FileField(upload_to="uploads/")
picture = models.ImageField(upload_to="uploads/")
# Files will be stored under MEDIA_ROOT + upload_to

In a typical production environment one would let nginx (or some other server) serve the media:

# Publicly accessible media
location ^~ /media/ {
    alias /some/application/dir/media
}

This works well when the media should be publically accessible. However, if the media should be protected, we need a way for Django to check whether the request for the media should only be allowed for logged in (or more stringent criteria) users.

The protected_media application

The protected_media application consists of

  • new settings.py attributes,
  • a customized FileSystemStorage class,
  • a custom handler for the protected media URL and
  • additional web server configuration if serving via nginx or something similar.

Protected media is stored in a different physical location to publically accessible media. The following settings can be specified in settings.py:

PROTECTED_MEDIA_ROOT = "/some/application/dir/protected/"
PROTECTED_MEDIA_URL = "/protected"
PROTECTED_MEDIA_SERVER = "nginx"  # Defaults to "django"
PROTECTED_MEDIA_LOCATION_PREFIX = "/internal"  # Prefix used in nginx config

When defining a file or image field that needs to be protected, we use one of the classes provided by the protected_media application:

  • ProtectedFileField
  • ProtectedImageField

Protected file- and image fields are typically defined as:

document = ProtectedFileField(upload_to="uploads/")
picture = ProtectedImageField(upload_to="uploads/")
# Files will be stored under PROTECTED_MEDIA_ROOT + upload_to

These classes have a custom storage backend ProtectedFileSystemStorage which mananges the filesystem location and URLs associated with protected media.

When nginx is used, the configuration must be updated to look like this:

# Publicly accessible media
location /media  {
    alias /some/application/dir/media;
}

# Protected media
location /internal  {
    internal;
    alias /some/application/dir/protected;
}
Owner
Cobus Carstens
Cobus Carstens
IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidraโ€™s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

David Lazar 48 Dec 29, 2022
๐™พ๐š™๐šŽ๐š— ๐š‚๐š˜๐šž๐š›๐šŒ๐šŽ ๐š‚๐šŒ๐š›๐š’๐š™๐š - ๐™ฝ๐š˜ ๐™ฒ๐š˜๐š™๐šข๐š›๐š’๐š๐š‘๐š - ๐šƒ๐šŽ๐šŠ๐š– ๐š†๐š˜๐š›๐š” - ๐š‚๐š’๐š–๐š™๐š•๐šŽ ๐™ฟ๐šข๐š๐š‘๐š˜๐š— ๐™ฟ๐š›๐š˜๐š“๐šŽ๐šŒ๐š - ๐™ฒ๐š›๐šŽ๐šŠ๐š๐šŽ๐š ๐™ฑ๐šข : ๐™ฐ๐š•๐š• ๐šƒ๐šŽ๐šŠ๐š– - ๐™ฒ๐š˜๐š™๐šข๐™ฟ๐šŠ๐šœ๐š ๐™ฒ๐šŠ๐š— ๐™ฝ๐š˜๐š ๐™ผ๐šŠ๐š”๐šŽ ๐šˆ๐š˜๐šž ๐š๐šŽ๐šŠ๐š• ๐™ฟ๐š›๐š˜๐š๐š›๐šŠ๐š–๐š–๐šŽ๐š›

๐™พ๐š™๐šŽ๐š— ๐š‚๐š˜๐šž๐š›๐šŒ๐šŽ ๐š‚๐šŒ๐š›๐š’๐š™๐š - ๐™ฝ๐š˜ ๐™ฒ๐š˜๐š™๐šข๐š›๐š’๐š๐š‘๐š - ๐šƒ๐šŽ๐šŠ๐š– ๐š†๐š˜๐š›๐š” - ๐š‚๐š’๐š–๐š™๐š•๐šŽ ๐™ฟ๐šข๐š๐š‘๐š˜๐š— ๐™ฟ๐š›๐š˜๐š“๐šŽ๐šŒ๐š - ๐™ฒ๐š›๐šŽ๐šŠ๐š๐šŽ๐š ๐™ฑ๐šข : ๐™ฐ๐š•๐š• ๐šƒ๐šŽ๐šŠ๐š– - ๐™ฒ๐š˜๐š™๐šข๐™ฟ๐šŠ๐šœ๐š ๐™ฒ๐šŠ๐š— ๐™ฝ๐š˜๐š ๐™ผ๐šŠ๐š”๐šŽ ๐šˆ๐š˜๐šž ๐š๐šŽ๐šŠ๐š• ๐™ฟ๐š›๐š˜๐š๐š›๐šŠ๐š–๐š–๐šŽ๐š›

CodeX-ID 2 Oct 27, 2022
Gefilte Fish GMail filter creator

Gefilte Fish: GMail filter maker Gefilte Fish automates the creation of GMail filters. Use it like this: from gefilte import GefilteFish,

Ned Batchelder 31 Sep 28, 2022
This tool allows to automatically test for Content Security Policy bypass payloads.

CSPass This tool allows to automatically test for Content Security Policy bypass payloads. Usage [cspass]$ ./cspass.py -h usage: cspass.py [-h] [--no-

Ruulian 30 Nov 22, 2022
ๅฏนๅฎ‰ๅ“APPๆณจๅ…ฅMSF PAYLOAD๏ผŒๅนถไธ”ๅฏนๆ‰‹ๆœบ็ฎกๅฎถ่ฟ›่กŒBYPASSใ€‚

520_APK_HOOK ไป‹็ป ๅฐ†msf็”Ÿๆˆ็š„payload๏ผŒๆณจๅ…ฅๅˆฐไธ€ไธชๆญฃๅธธ็š„apkๆ–‡ไปถไธญ๏ผŒ้‡ๆ–ฐๆ‰“ๅŒ…ๅŽ่ฟ›่กŒๅŠ ๅ›บ๏ผŒbypassๆ‰‹ๆœบๅฎ‰ๅ…จ็ฎกๅฎถ็š„ๆฃ€ๆต‹ใ€‚ ้กน็›ฎๅœฐๅ€: https://github.com/cleverbao/520apkhook ไฝœ่€…: BaoGuo ไผ˜็‚น ็›ธๆฏ”ไบŽๅŽŸๅง‹็š„msf่ฟœๆŽง๏ผŒๆญค็‰ˆๆœฌap

BaoGuo 368 Jan 02, 2023
CVE-2021-22005 - VMWare vCenter Server File Upload to RCE

CVE-2021-22005 - VMWare vCenter Server File Upload to RCE Analyze Usage ------------------------------------------------------------- [*] CVE-2021-220

r0cky 224 Aug 05, 2022
SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.

SSLyze SSLyze is a fast and powerful SSL/TLS scanning tool and Python library. SSLyze can analyze the SSL/TLS configuration of a server by connecting

Alban Diquet 2.8k Jan 03, 2023
Obfuscate ip address using different encodings

ipobfuscator How it works? Single ip address can be written in multiple ways. The most popular way is to represent ip as 4 octets separated with dots.

Piotr Warmke 1 Nov 02, 2021
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

2.4k Jan 07, 2023
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

26 Dec 26, 2022
PreviewGram is for users that wants get a more private experience with the Telegram's Channel.

PreviewGram is for users that wants get a more private experience with the Telegram's Channel.

1 Sep 25, 2022
Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Dependency Combobulator Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage

Apiiro 84 Dec 23, 2022
Tool ini berfungsi untuk membuat virus secara instan

vbug (ID) Tool ini berfungsi untuk membuat virus secara instan. Dengan begitu pengguna vbug maker dapat menggunakannya dengan mudah dan cepat. Di dala

OneTXz 3 Jun 05, 2022
A small script to export all AWAF policies from a BIG-IP device

This script leverages BIG-IP iControl REST API to export ALL AWAF policies in the system and saves them locally. The policies can be exported in the following formats: xml, plc and json.

3 Feb 03, 2022
Shell hunter for AF

AF-ShellHunter AF-ShellHunter: Auto shell lookup AF-ShellHunter its a script designed to automate the search of WebShell's in AF Team How to pip3 ins

Eduardo 34 May 13, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 ๅŽŸ้กน็›ฎnoPacๅœจๅฎž็ŽฐไธŠๅฏ่ƒฝๆœ‰็‚น้—ฎ้ข˜๏ผŒๅฏผ่‡ดๅœจๆœฌๅœฐๆฒกๆœ‰ๆ‰“้€š๏ผŒไบŽๆ˜ฏๅ‚่€ƒsam-the-admin้กน็›ฎ่ฟ›่กŒไฟฎๆ”นใ€‚ ไฝฟ็”จ pip3 install -r requirements.txt # GetShel

W4ter 2 Jun 23, 2022
Now patched 0day for force reseting an accounts password

Animal Jam 0day No-Auth Force Password Reset via API Now patched 0day for force reseting an accounts password Used until patched to cause anarchy. Pro

IRIS 10 Nov 17, 2022
labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface

labsecurity labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface. Warning

Dylan Meca 16 Dec 08, 2022
Using python 3 and Flask an MVC system where the AES 128 CBC and Trivium algorithms

This project was developed using python 3 and Flask, it is an MVC system where the AES 128 CBC and Trivium algorithms can be tested through a communication between the computer and a device such as a

Brandon Israel Camacho Reyes 1 Dec 26, 2021
Lazarus analysis tools and research report

Lazarus Research This repository publishes analysis reports and analysis tools for Operation Dream Job and Operation JTrack for Lazarus. Tools Python

JPCERT Coordination Center 50 Sep 13, 2022