>From a Trac ticket [0]: "Using incremental URLs (i.e. /comment/1 is the first comment and /comment/2 is the second comment, respectively for base 64 or other counting systems) is highly dangerous for private information. You could simply get all of the, say, private comments by accessing all comments sequentially and picking out the ones that are private. This can apply to confidential files (link sharing), personal information and more. There should be a section in the "Security in Django" about this."
Currently, the "Security in Django" document [1] says "This document is an overview of Django’s security features". I don't feel that addressing this concern, e.g. by using a randomly generated CharField or UUIDField primary key, would be considered a "security feature." Perhaps it would be worth creating a document that goes point by point through the OWASP Top 10 similar to this blog post [2] where something like this could be addressed. I know there have been some conferences talks addressing how Django address the OWASP Top 10 as well [3,4]. What do you think? [0] https://code.djangoproject.com/ticket/26464 [1] https://docs.djangoproject.com/en/dev/topics/security/ [2] http://blog.mikeleone.com/2011/10/security-django-and-owasp-top-10.html [3] Florian at Django Under the Hood 2015: https://opbeat.com/events/duth/ [4] Jacob at Pycon Australia 2013: https://www.youtube.com/watch?v=sra9x44lXgU -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/ba3ddbfa-bdba-4b25-9f24-f9199118d267%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
