[Django] #26464: Addition to the "Security in Django": Incremental URLs/Identifiers
Django
-------------------------------+--------------------
Reporter: CrazyPython | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------+--------------------
Using incremental URLs (i.e. /comment/1 is the first comment and
/comment/2 is the second comment, respectively for base 64 or other
counting systems) is highly dangerous for private information. You could
simply get all of the, say, private comments by accessing all comments
sequentially and picking out the ones that are private. This can apply to
confidential files (link sharing), personal information and more.
There should be a section in the "Security in Django" about this.
--
Ticket URL: <https://code.djangoproject.com/ticket/26464>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: CrazyPython | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
As the introduction says, "This document is an overview of Django’s
security features". How would you frame this issue as one of Django's
features?
--
Ticket URL: <https://code.djangoproject.com/ticket/26464#comment:1>
Django
Reporter: CrazyPython | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by CrazyPython):
> It includes advice on securing a Django-powered site.
Maybe include it in "Additional security Topics"?
--
Ticket URL: <https://code.djangoproject.com/ticket/26464#comment:2>
Django
Reporter: CrazyPython | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------+--------------------------------------
Changes (by timgraham):
* easy: 1 => 0
Comment:
I've raised some ideas about this on the
[https://groups.google.com/d/topic/django-
developers/_Z6ZufcOmps/discussion django-developers mailing list].
--
Ticket URL: <https://code.djangoproject.com/ticket/26464#comment:3>
Django
-------------------------------+------------------------------------
Reporter: CrazyPython | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
* has_patch: 0 => 1
* stage: Unreviewed => Accepted
Comment:
The discussion on the mailing list concluded to to add a link to the OWASP
Top 10: [https://github.com/django/django/pull/6425 PR].
--
Ticket URL: <https://code.djangoproject.com/ticket/26464#comment:4>
Django
Reporter: CrazyPython | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by claudep):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/26464#comment:5>
Django
-------------------------------------+-------------------------------------
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Tim Graham <timograham@…>):
In [changeset:"f6ca63a9f8b3d030097135e096c1041e09c29fd9" f6ca63a9]:
{{{
#!CommitTicketReference repository=""
revision="f6ca63a9f8b3d030097135e096c1041e09c29fd9"
Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26464#comment:6>
Django
-------------------------------------+-------------------------------------
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Tim Graham <timograham@…>):
In [changeset:"bdbfa1b1f81536642cb4518877bdb4ecd18e83b7" bdbfa1b1]:
{{{
#!CommitTicketReference repository=""
revision="bdbfa1b1f81536642cb4518877bdb4ecd18e83b7"
[1.9.x] Refs #26464 -- Added a link to OWASP Top 10 in security topic
guide.
Backport of f6ca63a9f8b3d030097135e096c1041e09c29fd9 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26464#comment:7>
Django
-------------------------------------+-------------------------------------
Type: New feature | Status: closed
Component: Documentation | Version: 1.9
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => fixed
--
Ticket URL: <https://code.djangoproject.com/ticket/26464#comment:8>