#26464: Addition to the "Security in Django": Incremental URLs/Identifiers -------------------------------+-------------------- Reporter: CrazyPython | Owner: nobody Type: New feature | Status: new Component: Documentation | Version: 1.9 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 1 | UI/UX: 0 -------------------------------+-------------------- Using incremental URLs (i.e. /comment/1 is the first comment and /comment/2 is the second comment, respectively for base 64 or other counting systems) is highly dangerous for private information. You could simply get all of the, say, private comments by accessing all comments sequentially and picking out the ones that are private. This can apply to confidential files (link sharing), personal information and more.
There should be a section in the "Security in Django" about this. -- Ticket URL: <https://code.djangoproject.com/ticket/26464> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/054.473ebc98b80b5c87584ef5cb45381991%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.