Django 的安全策略
Django的开发团队致力于负责地报告和披露与安全相关的问题。因此,我们采用并遵循了一套符合这种理想的策略,以便及时向Django的官方发行版和第三方发行版发布安全更新。
报告安全问题
简而言之:请通过电子邮件security@djangoproject.com报告安全问题。
Most normal bugs in Django are reported to our public Trac instance, but due to the sensitive nature of security issues, we ask that they not be publicly reported in this fashion.
Instead, if you believe you’ve found something in Django which has security implications, please send a description of the issue via email to security@djangoproject.com
. Mail sent to that address reaches the security team.
Once you’ve submitted an issue via email, you should receive an acknowledgment from a member of the security team within 48 hours, and depending on the action to be taken, you may receive further followup emails.
Sending encrypted reports
If you want to send an encrypted email (optional), the public key ID for security@djangoproject.com
is 0xfcb84b8d1d17f80b
, and this public key is available from most commonly-used keyservers.
支持的版本
Django团队在任何时候都会为几个版本的Django提供官方安全支持。
- The main development branch, hosted on GitHub, which will become the next major release of Django, receives security support. Security issues that only affect the main development branch and not any stable released versions are fixed in public without going through the disclosure process.
- 两个最新的Django发行版系列都提供了安全支持。例如,在Django 1.5发布之前的开发周期中,将支持Django 1.4和Django 1.3。在Django 1.5发布后,Django 1.3的安全支持将结束。
- Long-term support releases will receive security updates for a specified period.
当出于安全原因发布新版本时,附带的通知将包括受影响的版本列表。此列表仅包含*支持*的Django版本:旧版本也可能受到影响,但我们不会调查这一点,也不会为这些版本发布补丁或新版本。
Django 如何披露安全问题
我们将一个安全问题从私下讨论到公开披露的过程涉及多个步骤。
Approximately one week before public disclosure, we send two notifications:
First, we notify django-announce of the date and approximate time of the upcoming security release, as well as the severity of the issues. This is to aid organizations that need to ensure they have staff available to handle triaging our announcement and upgrade Django as needed. Severity levels are:
High:
- 远程代码执行
- SQL 注入
Moderate:
- 跨站脚本攻击(XSS)
- 跨站请求伪造(CSRF)
- 拒绝服务攻击
- 损坏的认证
Low:
- 敏感数据暴露
- 会话管理损坏
- 未验证重定向
- Issues requiring an uncommon configuration option
Second, we notify a list of people and organizations, primarily composed of operating-system vendors and other distributors of Django. This email is signed with the PGP key of someone from Django’s release team and consists of:
- 问题的完整描述以及受影响的Django版本
- 我们将采取的补救措施。
- 补丁(如果有的话)将应用于Django。
- The date on which the Django team will apply these patches, issue new releases and publicly disclose the issue.
On the day of disclosure, we will take the following steps:
- Apply the relevant patch(es) to Django’s codebase.
- Issue the relevant release(s), by placing new packages on the Python Package Index and on the djangoproject.com website, and tagging the new release(s) in Django’s git repository.
- Post a public entry on the official Django development blog, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).
- Post a notice to the django-announce and oss-security@lists.openwall.com mailing lists that links to the blog post.
If a reported issue is believed to be particularly time-sensitive — due to a known exploit in the wild, for example — the time between advance notification and public disclosure may be shortened considerably.
Additionally, if we have reason to believe that an issue reported to us affects other frameworks or tools in the Python/web ecosystem, we may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs.
The Django team also maintains an archive of security issues disclosed in Django.
Who receives advance notification
The full list of people and organizations who receive advance notification of security issues is not and will not be made public.
We also aim to keep this list as small as effectively possible, in order to better manage the flow of confidential information prior to disclosure. As such, our notification list is not simply a list of users of Django, and being a user of Django is not sufficient reason to be placed on the notification list.
In broad terms, recipients of security notifications fall into three groups:
- Operating-system vendors and other distributors of Django who provide a suitably-generic (i.e., not an individual’s personal email address) contact address for reporting issues with their Django package, or for general security reporting. In either case, such addresses must not forward to public mailing lists or bug trackers. Addresses which forward to the private email of an individual maintainer or security-response contact are acceptable, although private security trackers or security-response groups are strongly preferred.
- On a case-by-case basis, individual package maintainers who have demonstrated a commitment to responding to and responsibly acting on these notifications.
- On a case-by-case basis, other entities who, in the judgment of the Django development team, need to be made aware of a pending security issue. Typically, membership in this group will consist of some of the largest and/or most likely to be severely impacted known users or distributors of Django, and will require a demonstrated ability to responsibly receive, keep confidential and act on these notifications.
Security audit and scanning entities
As a policy, we do not add these types of entities to the notification list.
Requesting notifications
If you believe that you, or an organization you are authorized to represent, fall into one of the groups listed above, you can ask to be added to Django’s notification list by emailing security@djangoproject.com
. Please use the subject line “Security notification request”.
您的请求**必须**包含以下信息:
- Your full, real name and the name of the organization you represent, if applicable, as well as your role within that organization.
- A detailed explanation of how you or your organization fit at least one set of criteria listed above.
- A detailed explanation of why you are requesting security notifications. Again, please keep in mind that this is not simply a list for users of Django, and the overwhelming majority of users should subscribe to django-announce to receive advanced notice of when a security release will happen, without the details of the issues, rather than request detailed notifications.
- The email address you would like to have added to our notification list.
- An explanation of who will be receiving/reviewing mail sent to that address, as well as information regarding any automated actions that will be taken (i.e., filing of a confidential issue in a bug tracker).
- For individuals, the ID of a public key associated with your address which can be used to verify email received from you and encrypt email sent to you, as needed.
Once submitted, your request will be considered by the Django development team; you will receive a reply notifying you of the result of your request within 30 days.
Please also bear in mind that for any individual or organization, receiving security notifications is a privilege granted at the sole discretion of the Django development team, and that this privilege can be revoked at any time, with or without explanation.
Provide all required information
A failure to provide the required information in your initial contact will count against you when making the decision on whether or not to approve your request.