Isn't it unsafe to expose django media_url to everyone?

Question

According to Django document: "it was common to place static assets in MEDIA_ROOT along with user-uploaded files, and serve them both at MEDIA_URL. "

Does that mean everyone could access other people's uploaded files? Isn't it unsafe?

Answer 1

Yes

A clever user can possibly guess the path to media files belonging to other users.

Django was born in the news publishing business where this was not of concern: the admin is based in the concept of trusted users like writers and editors belonging to the same organization.

Mitigation

Requiring authentication

Not my first choice but you can make the webserver authenticate against Django's user database:

WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIPythonPath /path/to/mysite.com

WSGIProcessGroup %{GLOBAL}
WSGIApplicationGroup %{GLOBAL}

<Location "/media/private-user-content/">
    AuthType Basic
    AuthName "Top Secret"
    Require valid-user
    AuthBasicProvider wsgi
    WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
</Location>

The accepted answer recommends serving sensitive files from an authenticated Django view. It is OK for low traffic apps but for larger projects it carries a performance hit not every site can afford.

Serving from Cloud Storage Services

Large projects should be using some cloud storage backend for both performance and cost considerations. If your project is already hosted at some of the big 3 (AWS, GCP, Azure) check Django Storages. For example, if you are using the S3 backend, you can turn "query parameter authentication" for generated URLs and voila, problem gone. This has some advantages:

• it is transparent to developers
• enterprise-grade performance
• lower cost of storage and network
• probably the most secure option

Obfuscating the path

For small projects where you are serving media and application from the same webserver you can make very hard for nosy users to find media files not belonging to them:

1) disable the web server "auto index" in the MEDIA_ROOT folder. For apache, it is like:

<Directory /path/to/application/media/root>
   Options -Indexes
</Directory>

Without indexes, in order to access files belonging to other people you will have to guess the exact file name.

2) make the file path hard to guess using a crypto hash in the "upload_to" parameter from FileFields:

def hard_to_guess(instance, filename):
    salt = 'six random words for hidden salt'
    hash =  hashlib.md5(instance.user.username + salt)
    return '/'.join(['content', hash, filename])

...

class SomeModel(models.Model):
    ...
    user = models.ForeignKey(User)        
    content = models.FileField(upload_to=hard_to_guess)
    ...

This solution has no performance hit because media files are still served directly from the webserver.

Answer 2

To answer your question: yes, this would allow everyone to access everybody's uploaded files. And yes, this is a security risk.

As a general rule, sensitive files should never be served directly from the filesystem. As another rule, all files should be considered sensitive unless explicitly marked otherwise.

The origin of the MEDIA_ROOT and MEDIA_URL settings probably lie in Django's history as a publishing platform. After all, your editors probably won't mind if the pictures they add to articles can easily be found. But then again, pictures accompanying an article are usually non-sensitive.

To expand on your question: sensitive files should always be placed in a directory that is not directly accessible by the web server. Requesting those files should only be done through a view class or function, which can do some sensible access checking before serving the file.

Also, do not rely on obfuscation for sensitive files. For example, let's use Paulo's example (see other answer) to obfuscate photo albums. Now my pictures are stored like MEDIA_URL/A8FEB0993BED/P100001.JPG. If I share this link with someone else, they can easily try URLs like MEDIA_URL/A8FEB0993BED/P710032.JPG, basically allowing them to brute-force my entire photo album.