Changes between Version 1 and Version 9 of Ticket #35730
- Timestamp:
- Sep 9, 2024, 4:01:19 AM (3 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #35730
- Property Triage Stage Unreviewed → Accepted
- Property Owner set to
- Property Status new → assigned
- Property Version 5.1 → dev
- Property Patch needs improvement set
- Property Needs documentation set
- Property Summary Enhance password reset security by signing 'uid' parameter instead of base64-encoding to prevent possible user count leakage → Enhance password reset security by encrypting 'uid' parameter instead of base64-encoding to prevent possible user count leakage
-
Ticket #35730 – Description
v1 v9 5 5 Surely, organizations that design their entities with non-enumerable public identifiers (such as by using a `UUIDField` for the primary key) would not be affected by this, however as the issue is also addressed by other means, such as a secondary public identifier, or simply a careful app design, I would still think that many Django site owners who prefer to keep this information private are likely unaware that it’s being exposed through this native mechanism. 6 6 7 To prevent the leakage of the `user.pk` value by default, I replaced the base64 encoding with the signing of the `user.pk` value (PR https://github.com/django/django/pull/18539).7 To prevent the leakage of the `user.pk` value by default, I replaced the base64 encoding with the ~~signing~~ encrypting of the `user.pk` value (PR https://github.com/django/django/pull/18539).