#26464: Addition to the "Security in Django": Incremental URLs/Identifiers
-------------------------------+--------------------
Reporter: CrazyPython | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.9
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------+--------------------
Using incremental URLs (i.e. /comment/1 is the first comment and
/comment/2 is the second comment, respectively for base 64 or other
counting systems) is highly dangerous for private information. You could
simply get all of the, say, private comments by accessing all comments
sequentially and picking out the ones that are private. This can apply to
confidential files (link sharing), personal information and more.
There should be a section in the "Security in Django" about this.
--
Ticket URL: <https://code.djangoproject.com/ticket/26464>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/054.473ebc98b80b5c87584ef5cb45381991%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
