Replies: 1 comment
-
|
Hi @ad-65 👋, Thanks for reaching out and for your kind words. They really mean a lot to me. First, let me say, yes, the patching magic should be optional (and it is). However, it is neither documented nor painless and is due for an improvement. However, let me quickly address some of your concerns, to save you some hassle.
There shouldn't be, unless you execute arbitrary code from your storage (which you probably shouldn't). If your key value blob store (like S3) is properly configured, files uploaded by users shouldn't be shareable/downloadable, executable or otherwise injectable into your application. You are also protected from cost dangers, as the max upload boy size for pre-signed URLs is 5 GB.
This is important! They really don't. That the whole purpose of this package. Processing a large request through your WSGI-stack (even with a reverse proxy) is likely to make you vulnerable to simple DOS attacks. In fact, I would strongly advise you to configure your reverse proxy or ELB to disconnect large requests. File processing should always be handled asynchronously, and probably buy a machine that is optimized to handle this workload. Even if you want to process files in your web application, this package will make this process very painless, as the Django
To add to what I said before: Size doesn't matter 😉 Latency might. You really don't want your server to wait for a request to finish (w/o a reverse proxy). I'm restricting users to 'only upload small files', isn't adding to your user experience. That goes double, when we are talking about upload images. That was a rather long answer, I hope you appreciate my candor and level of detail. Now, let's get back to the topic at hand. Since the default behavior is "pretty magical", having an option to disable it, should be included (with a warning). My preferred solution would be to add a separate app config, people can include alternatively. Since you raised the topic, are you interested in providing a patch yourself? I don't want to steal your thunder. If you, I am happy to create a patch myself. Best |
Beta Was this translation helpful? Give feedback.
-
First off, thank you for the great library. Using S3 signed URLs is an awesome addition to Django S3 backed storage.
Secondly, I just wanted to put an idea out there. Sometimes we may not want all django-storages backed file uploads to use s3 pre-signed URLs, maybe some files require server processing, there are security issues with pre-signed URLs in some parts of the application, or maybe we just want to use it for large uploads only. Currently this can be accomplished by not registering the app in
INSTALLED_APPSor creating a custom wrapper app that omits the widget patching magic:then a custom widget can be specified for only the fields that should use pre-signed URLs:
The first approach of not registering the app means it isn't in the app registry and doesn't include statics files. The second approach works fine but I was wondering if a setting that can turn off the widget patching magic might be a good idea? Something like:
Maybe there is a better way to do this but it seems having the ability to mix and match upload types would be a good feature.
Anyway, thanks again for your work on this library.
Beta Was this translation helpful? Give feedback.
All reactions