Changes between Version 1 and Version 9 of Ticket #35730


Ignore:
Timestamp:
Sep 9, 2024, 4:01:19 AM (2 months ago)
Author:
Remy
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #35730

    • Property Triage Stage UnreviewedAccepted
    • Property Owner set to Remy
    • Property Status newassigned
    • Property Version 5.1dev
    • Property Patch needs improvement set
    • Property Needs documentation set
    • Property Summary Enhance password reset security by signing 'uid' parameter instead of base64-encoding to prevent possible user count leakageEnhance password reset security by encrypting 'uid' parameter instead of base64-encoding to prevent possible user count leakage

  • Ticket #35730 – Description

    v1 v9  
    55Surely, organizations that design their entities with non-enumerable public identifiers (such as by using a `UUIDField` for the primary key) would not be affected by this, however as the issue is also addressed by other means, such as a secondary public identifier, or simply a careful app design, I would still think that many Django site owners who prefer to keep this information private are likely unaware that it’s being exposed through this native mechanism.
    66
    7 To prevent the leakage of the `user.pk` value by default, I replaced the base64 encoding with the signing of the `user.pk` value (PR https://github.com/django/django/pull/18539).
     7To prevent the leakage of the `user.pk` value by default, I replaced the base64 encoding with the ~~signing~~ encrypting of the `user.pk` value (PR https://github.com/django/django/pull/18539).
Back to Top