On 06/04/16 11:35, Josh Smeaton wrote:
I like the idea of addressing the OWASP top 10. Further, I think the
advice of obscuring keys is wrong. The problem is actually addressed in
the OWASP Top 10[0]
*4 Insecure Direct Object References:*
A direct object reference occurs when a developer exposes a reference to
an internal implementation object, such as a file, directory, */or
database key/*. Without an access control check or other protection,
attackers can manipulate these references to access unauthorized data.
The proper solution is *Access Controls* like the Permissions system
provides.
Exactly... or just filtering the queryset according to the logged in
User, and returning a 404 otherwise -- get_object_or_404 can make this
trivial...
(yes 404, as 403 potentially admits the existence of the record in
question -- see GitHub's behavior)
--
Curtis
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/5704BE62.1040706%40tinbrain.net.
For more options, visit https://groups.google.com/d/optout.
