Hello,
We are currently working on a project about Django for the master in
computer engineering at the University of La Coruña.
We would like to interview several project contributors to find out about
different aspects of the project that may not be reflected in the
documentation and when
I agree with James, this is going down something of a rabbit hole of micro
security holes within the trusted area of the admin.
There is also lower hanging fruit in the realm of admin security. For
instance geodjango's admin extensions rely on external scripts and are not
compatible with a strict
I'm also +1 on Aymeric's suggestion.
On Wed, 6 Jan 2021 at 15:44, Carlton Gibson
wrote:
> Hey Nick,
>
> Super, no problem. 4.0 is fine. (And Aymeric's option does sound better
> yes.)
>
> Thanks!
> C
>
> On Wednesday, 6 January 2021 at 16:12:32 UTC+1 Nick Pope wrote:
>
>> Hi Carlton,
>>
>>
I agree with this especially around the point about timing attacks.
I don’t believe potentially being able to infer the names of models in a very,
very noisy way (thousands of requests) gives anyone leverage in a system or
even any particularly sensitive information at all. Maybe in a really
Hi,
For security reasons, I would recommend protecting any url which starts
with /admin/ (or the website's admin url prefix) with an HTTPS password
from the web server directly (such as Nginx or Apache), so that even the
login to the admin will be protected. You may consider adding this
Hi Carlton,
I'd like to put
https://github.com/django/django/pull/12553
https://github.com/django/django/pull/13800
onto this list as well. They are imo basically finished and I'd love
reviews from our fellows. Let me know if I can help somewhere else in
exchange ;)
Cheers,
Florian
On
As a non-technical board member, I'd prefer option 1. I also think that for
most use cases, staff users are at least somewhat trusted and even if they
are not, model enumeration isn't likely to be a security problem.
On Wednesday, January 6, 2021 at 5:07:44 AM UTC-5 carlton...@gmail.com
wrote:
Hi Uri.
Can I please ask that this discussion not get side-tracked.
I'm asking for a Technical Board decision on the specific question, under
the rules of DEP 10.
The PR in question has been in progress for six months, and we want to
resolve it in time for the Django 3.2 feature freeze
Hey Florian.
OK +1, no problem.
> Let me know if I can help somewhere else in exchange ;)
Super.
On Wednesday, 6 January 2021 at 10:31:54 UTC+1 f.apo...@gmail.com wrote:
> Hi Carlton,
>
> I'd like to put
> https://github.com/django/django/pull/12553
>
Hi all,
I need to ask for a Technical Board decision on the resolution of Ticket
#31747.
Ticket #31747: Avoid potential admin model enumeration
https://code.djangoproject.com/ticket/31747
PR #13134: Fixed #31747 -- Fixed model enumeration via admin URLs.
I'm going to be the contrarian here and at least ask whether the right
answer is "don't do any of these options".
To see why, consider a hypothetical world where we do one of the above
options, and a site sets whatever config is necessary to disable
APPEND_SLASH behavior in the admin.
The very
TBH I see Adam has given it the All clear. There should be some way that
enough of that adds up to it just getting merged (but I REALLY don't have
capacity to think about THAT this week )
It's on the list.
On Wednesday, 6 January 2021 at 16:46:37 UTC+1 Carlton Gibson wrote:
> Hey Nick.
>
>
Hey Nick,
Super, no problem. 4.0 is fine. (And Aymeric's option does sound better
yes.)
Thanks!
C
On Wednesday, 6 January 2021 at 16:12:32 UTC+1 Nick Pope wrote:
> Hi Carlton,
>
> Sorry I didn't reply on the PR about advancing anything for 3.2. I ran out
> of capacity and at this late
Hi Carlton,
Sorry I didn't reply on the PR about advancing anything for 3.2. I ran out
of capacity and at this late stage it is best to wait until 4.0 anyway.
I see that Aymeric is in favour of forging ahead to use zoneinfo in 4.0 as
was my preference, but with the addition of an opt-out
Hey Nick.
Yes, good. Issue is capacity to look at it. If I can get there I will.
Kind Regards,
Carlton
On Wednesday, 6 January 2021 at 16:01:15 UTC+1 Nick Pope wrote:
> Hi Carlton,
>
> Just wondering if you're still willing to accept the following for 3.2:
>
>-
Hi Carlton,
Just wondering if you're still willing to accept the following for 3.2:
- https://code.djangoproject.com/ticket/16117
- https://github.com/django/django/pull/13532
Adam marked it "ready for checkin" about 6 weeks ago.
Cheers,
Nick
On Wednesday, 6 January 2021 at 10:04:18
16 matches
Mail list logo
