Opened 9 years ago
Closed 9 years ago
#26464 closed New feature (fixed)
Add a link to the OWASP Top 10 in "Security in Django" doc
Reported by: | James | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 1.9 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Using incremental URLs (i.e. /comment/1 is the first comment and /comment/2 is the second comment, respectively for base 64 or other counting systems) is highly dangerous for private information. You could simply get all of the, say, private comments by accessing all comments sequentially and picking out the ones that are private. This can apply to confidential files (link sharing), personal information and more.
There should be a section in the "Security in Django" about this.
Change History (8)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
It includes advice on securing a Django-powered site.
Maybe include it in "Additional security Topics"?
comment:3 by , 9 years ago
Easy pickings: | unset |
---|
I've raised some ideas about this on the django-developers mailing list.
comment:4 by , 9 years ago
Has patch: | set |
---|---|
Summary: | Addition to the "Security in Django": Incremental URLs/Identifiers → Add a link to the OWASP Top 10 in "Security in Django" doc |
Triage Stage: | Unreviewed → Accepted |
The discussion on the mailing list concluded to to add a link to the OWASP Top 10: PR.
comment:5 by , 9 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
comment:8 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
As the introduction says, "This document is an overview of Django’s security features". How would you frame this issue as one of Django's features?