Opened 9 years ago

Closed 9 years ago

#26464 closed New feature (fixed)

Add a link to the OWASP Top 10 in "Security in Django" doc

Reported by: James Owned by: nobody
Component: Documentation Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Using incremental URLs (i.e. /comment/1 is the first comment and /comment/2 is the second comment, respectively for base 64 or other counting systems) is highly dangerous for private information. You could simply get all of the, say, private comments by accessing all comments sequentially and picking out the ones that are private. This can apply to confidential files (link sharing), personal information and more.

There should be a section in the "Security in Django" about this.

Change History (8)

comment:1 by Tim Graham, 9 years ago

As the introduction says, "This document is an overview of Django’s security features". How would you frame this issue as one of Django's features?

comment:2 by James, 9 years ago

It includes advice on securing a Django-powered site.

Maybe include it in "Additional security Topics"?

comment:3 by Tim Graham, 9 years ago

Easy pickings: unset

I've raised some ideas about this on the django-developers mailing list.

comment:4 by Tim Graham, 9 years ago

Has patch: set
Summary: Addition to the "Security in Django": Incremental URLs/IdentifiersAdd a link to the OWASP Top 10 in "Security in Django" doc
Triage Stage: UnreviewedAccepted

The discussion on the mailing list concluded to to add a link to the OWASP Top 10: PR.

comment:5 by Claude Paroz, 9 years ago

Triage Stage: AcceptedReady for checkin

comment:6 by Tim Graham <timograham@…>, 9 years ago

In f6ca63a9:

Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.

comment:7 by Tim Graham <timograham@…>, 9 years ago

In bdbfa1b1:

[1.9.x] Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.

Backport of f6ca63a9f8b3d030097135e096c1041e09c29fd9 from master

comment:8 by Tim Graham, 9 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top