#django

Why isn't it... protected? :|

jennifer: where?

jennifer: finish part 4 of the tutorial before doing any upload stuff

lol

that's not Django

Finish tutorial this man says

Django is https://github.com/django/django

jennifer, because people aren't security conscious

I know, I'm following a different tutorial because I just need to get this going with

cybo_, I'm doing this for a security class, so it's really just hw

My professor said to use php so she can show us how to find bugs but I insisted on python because I said in the real world I'd never lower myself to working with php grubs

She said "okay"

So here I am trying to learn Django in a hour

It's actually a lot of fun

I can see some security problems with some of these codes on github

jennifer, it probably won't be all the beneficial to do it in django then

Whether it's Amazon API code or some other crap

it does a lot for you out of the box

cybo_, why not? I just wanna get this homework done with, which is create a simple upload website

...

What are you suggesting sir?

if the point of the class is to learn about different security issues, then you won't learn them by not dealing with them directly

Oh no

I will learn

Don't you worry your little heart

which is possibly why you were suggested to use php ;)

I hate php and would rather starve than work with php

have you ever used it?

I'm already starving too hm

yeah

I have a few small project in php when I first started out

Php taught me a lot but security isn't one of the,m

Did you see the link or did I send the wrong one?

the spec? yes

here

Have fun

Gonna need 30 min to focus on making this magic work

Where can I read about {% I see stuff here %}?

templates

like you saw in the tutorial

you did do the tutorial, right?

she's half way through

ah

(assuming she)

I did the tutorial halfway as said, then I went onto another tutorial that focused on what I needed, I got most of the idea heh

those things between {% %} are called template tags

Oh cool this tutorial uses / teaches csrf_token

Why does a few of these line have double {{}}?

{{ }} is variable interpolation

{% %} run Python code from a register of functions (template tags)

Oh

Literal string

Got it

variable

{{ }} print the value of an object referenced inside, can't run arbitrary code

the precise syntax of what can be used inside {{ }} are explained somewhere in the docs, the point being is that it's intentionally limited

s/are/is/

why people love jinja templates?

ya

I'm using https://docs.djangoproject.com/en/1.10/ref/temp...

bambanx: because they think Python code in templates are fine, probably?

It's not that magical

s/is/are/ grrrrrrrrr

Bambanx do you have an alternative?

jennifer: default Django templates

Btw I can delete pyc files when uploading for my professor, yeah?

She doesn't need the pyc files I think

jennifer: correct, but how do you expect them to run your code?

I give them the py files

The source code

It's just they'll have to download Django and all

oh

Koterpillar, what do you think? its good practice to use python on templates? what are your thoughts?

heh

bambanx: no

jennifer: and Python

I dunno why I cackled at that but I guess it's funny

hello jennifer

what would be the best way to migrate a set of tags from a taggit TagableManager field from one model to another?

bambanx: I consider Hamlet a good templating system (warning: not Python)

Koterpillar, its kinda pug(jade) ?

mmm, not familiar with those. It's more about the type safety

ok

thanks for share your wisdom Koterpillar

but then again, I'm not good enough with Web design

Koterpillar, what do you use Django for?

web apps

but our team has a total of 2 people whose job is to suffer CSS

Hm this is new

guys what is the way to act if some guy stole your database of some apps ? if this database have all password of your users? those are encrypted?

Class inside of a class? that's pretty rare in C++

What does that do in python?

jennifer: introduces a class

jennifer: only visible inside the scope

bambanx, you freak out, you scold your security team, then you figure out damage control

Then you get some paperwork done, talk to your lawyer

Get everybody to assess the damage done and figure out how to prevent in the future

Notify customers

If those passwords are poorly hashed, you're in trouble

jennifer: classes are dynamic, like everything else in Python

Send out a mass email to get those users to change their pw asap

Um I forgot what else you can do

Koterpillar, okay

ty

jennifer: you can introduce functions inside classes inside functions...

ok but in terms of programming what you can do? the password are encrypted on the database?

bambanx: whatever you _could_ do is already irrelevant

bambanx: yes, passwords are encrypted

hashed, in fact... so there's no decryption possible

Koterpillar, I know about functions inside of a functiojn

But not class inside of a class

FunkyBob, it can be broken

Hashed doesn't mean shit nowadays

what is the diference of hashed with encrypted?

bambanx, if it's hashed, it's usually one way

bambanx: hash isn't reversible

jennifer: a class is just a function that takes constructor arguments and returns *something* with methods

If it's encrypted, it can be decrypted

jennifer: it will be costly

jennifer: well, the default hashing in django's auth is salted and iterated 20,000 times or more

FunkyBob, don't say, it's usually not easily reversible, but that's a false sense of security

Somebody with enough time and knowledge will crack it open

well

okay

So that just means django's hashing is decent

thanks guys

I'm curious as to how Django would hold up against various attack vectors out there that could, on nation-state level crack passwords like nobody

it should be upped to about 100,000 iterations in 2.0, iirc

it's upped every release to compensate for improved hardware

Good job

Like Drupal, they try to keep up to date then