In the API result (http://developers.facebook.com/docs/reference/fql/link_stat/) there are two counts about comments:
comment_count: The number of comments users have made on the shared story
commentsbox_count: The number of comments from a comments box on this URL. This only includes top level comments, not replies
What is the difference? Does the comment_count include the commentsbox_count?
They are quite different from each other.
comment_count refers to the number of comments made inside Facebook on a shared story, where as commentsbox_count refers to the comments made on the external site via the comments plugin. Sites can use the comments plugin to easily put up a comment box on their website without having to implement it themselves. The commentsbox_count can be queried to get the # of comments left on each URL there.
Related
The id (PK) of a model/ DB can be passed to and used in the URL pattern. Everyone, including hackers, would be able to piece together some information about my DB from this and the actual data in the template.
My questions are kind of general at this point. I would just like to understand how the info above could be used to compromise the data. Or if someone could point me to some further reading about this topic I would appreciate it.
This is a general question as I am trying to gain more understanding into securing Django sites. I have read several articles but nothing's satisfied the question.
Code:
Where the href passes the blogs id to be used in url matching and ultimately pulling data from the DB in the views/ template:
<a href= "{% url 'details' blog.id %}">
and
urlpatterns = [
path('<int:blog_id>/', views.details, name = 'details'),
]
And the URL being:
domain/appname/blog_id/
TL;DR: Can you hack my site with the few pieces of information I am freely giving away concerning the backend?
First it depends on how your ids are generated. The default in Django is to use sequential numbers, which gives away the following (non-exhaustive) information:
Someone can easily try other ids to see what they get. If you haven't properly protected access to ids you don't want to show, someone might be able to see content they shouldn't see. Many information leaks were just due to this: Guess the URL et voilĂ ! Something that was supposed to be published tomorrow is suddenly leaked today. The same applies for dates in the URL. Of course, if you have proper checks for who's allowed to view "draft" posts, there's no harm.
By trying all ids, you can find out numbers: maybe you don't want others to know how many products you have in your database because it's sensitive information. If I can just do /products/4924 to fetch info about product #4924, I can easily create a script to quickly increase the number until I get 404 Not Found, by which time I know there are 10252 products in your database.
If you have a form to make changes to an order and use the id in the URL to determine which order to change (never do just that by the way, make sure you check the order belongs to the user), someone could just pick different ids to mess up with other people's orders. That can happen easily with an UpdateView where you forget to check permissions.
Regarding the last one: I see plenty of posts here on SO where people show their UpdateView for changing user profiles and other really sensitive information. In most cases the pk is the URL parameter used to fetch the UserProfile. But I almost never see a decorator or mixin (PermissionRequiredMixin or UserPassesTestMixin) to check that the user is actually the one authorised to modify this object. I just pray it's left out for clarity sake :-)
On the other hand, in many case there's not much harm using ids. This site, StackOverflow uses a sequential id for the URL of a question/answer. Nothing serious can happen here if I randomly try other ids. And apparently they are happy to share how many questions and answers have been posted so far (57478609 when you posted this question).
TL;DR: Except giving the ability to visitors to "count" objects in your database, all other security issues with using sequential ids aren't real issues if you take care about your security. But by using random ids, e.g. uuids in your URLs (not necessarily replacing the pk in the db) you can reduce the risk if you forgot to secure something where people can guess ids (or your intern forgot and it got passed your code review and unit tests somehow).
You asked a general question, and the general answer would be: "It depends"
TL;DR: Can you hack my site with the few pieces of information I am freely giving away concerning the backend?
This question is broad. You could hack a site with a toothpick if you annoy the site owner by poking them with it until they give you the password.
Instead I'll assume you asked the titular question:
Q: Are PKs in URLs a security concern?
A: They can be.
In your example you mention blog posts- so lets assume your site has plenty of users all writing blog posts. Now you add the ability for a User to set their latest blog entry to "private". Blog posts marked private only show up on the dashboard for the user that wrote them, and don't show up on everyone else's blog feeds e.g:
{% for article in articles if not article.private %}
... <article feed stuff here>
{% endif %}
Great!
However, one of your users posts a private article and looks at the address bar which shows https://myblog.blog/articles/42 and then at a previous article they wrote yesterday which is https://myblog.blog/articles/37 and deduces that the ID's are sequential. On a whim they type into the address bar https://myblog.blog/articles/41 and oh dear, now they're looking at an article that someone else posted that for the sake of argument we'll say was also set to private.
Because we had no check in place to make sure that the user looking at the (private) blog post was permitted to do so we exposed someones private information. Which is bad enough for blog posts but a very expensive disaster for e.g. bank accounts (there are plenty of examples of major banks slipping up on this particular issue)
Django has a robust system for dealing with this sort of thing: https://docs.djangoproject.com/en/2.2/topics/auth/default/#limiting-access-to-logged-in-users-that-pass-a-test
The argument can still be made that as well as permissions checks, good practice would be to use UUIDs (or short UUIDs) for the id "slugs" in the URLs of any objects that you would rather weren't guessable.
Also, not security related but on the subject of URLs for public articles and blog posts you may find this interesting: https://wellfire.co/learn/fast-and-beautiful-urls-with-django/
I have a "contact" link on a webpage, that needs a #idxx hashtag added, so the browsers directly shows contact infos (that is on a about page). As the link is quite static, I've added it with django-cms's {% page_url 'contact' %} tag, and then manually added the hash. BUT: As soon as I change something on the contacts page, and then publish the changes, the plugin's id will change. I already enhance the menu with selected plugins (Institute / About / Contact) Is there an elegant solution for this problem, for example accessing the menu again, only for that specific node?
Real world example: http://www.wti.org
EDIT: I if possible, an solution that is 'invisible' for the user/editor, is preferred. Means: No parent plugins to put things in, no manual ids that users have to set. If possible...
Would a simple solution be to assign the target a static id, e.g. #contactinfo? Many plugins allow to give them a static id. If your target plugin does not, you could have it preceded by an empty Style plugin. I use aldryn-style, available here: https://github.com/aldryn/aldryn-style
I want to include a new link block on my pages. But before I activate it I want to test if it makes sense.
So following Optimizelys Article on Pageview goals I set up a test to measure page view conversions. But obiously I am doing it wrong.
As a simplified example let's assume, all my pages have URLs of the following pattern: www.mydomain.com/page_[0-9]+.htm
(for example www.mydomain.com/page_123.htm).
And my new link will lead the user to another page of the above pattern.
The problem seems to be that Optimizely does not really count the number of pages visited, but instead counts the first visit already as a conversion (given that the URL pattern always matches).
So both my test variations turn out the same results.
What am I doing wrong here?
I found a workaround which seems to do the trick (although not being the perfect solution):
Using Javascript I append #opt (or whatever you like) to the links in question.
And the goal pattern is accordingly changed to www.mydomain.com/page_[0-9]+.htm#opt.
This way...
the first page the visitor visits will not be counted as a conversation (since #opt is missing)
all the other pages on the page won't be counted for the same reason
except the ones that are specifically targeted in my tested links.
Posting links via Graph to my feed, i am noticing that new "story" and "story_tags" fields are being implicitly added (without my intention). this is new behavior as of on our around 07/20/12, as if i look at links prior to that in my feed, they did not include these extra 2 fields.
one of the issues i have with this is that the "story" and/or "story_tags" field appears to be triggering something new that has unexpectedly altered the display of the link on my feed, as the new posts no longer resemble those i made 07/19 and earlier, IF the link is to a page on Facebook. specifically, my "picture," "caption" and "description" values seem to be getting overwritten by content pulled from the FB page i am linking to. if however i link to an external page then this does not occur (although curiously the "caption" field seems to now be overwritten with the link in this case, or simply ignored altogether).
furthermore, i have an Xbox 360 game that posts links to my page (it links to a page on Facebook for the game). i just did one now. when i look at it in my feed in Graph it does not contain a "story" or "story_tags" field. thus, their caption, description and picture fields are not being overwritten like mine are when i set my link to a Facebook page. how are they getting around this? is there some way i can do the same through Graph?
I am not sure what you mean exactly, but since I've started working with Graph i've noticed the story and story_tags.
As far as I could see a message is posted by a person itself, and a story is something like [user] is tagged in picture, or [user] liked a story.
And indeed the Story and story_tags do not contain a whole lot of info. But you should check for picture caption en description anyway because as I've noticed they aren't always there.
At first I wasn't sure if a question on how to do something advanced in MediaWiki belonged here, but upon reading the faq and thinking about it, I decided that wiki markup is as much its own language as HTML and CSS, and if those questions are welcome here, then hopefully this is too! If I am wrong feel free to flag this question. Update: Well as evidenced by the 3 views this question got, I suppose that while perhaps it's within the rules of Stackoverflow, there might not be much expertise on the subject! I suppose I will need to take this question to the official forums (shudder)
The problem
On a wiki I am setting up powered my MediaWiki, I have a Template that outputs among other things dynamically created categories. This means that the page that invokes the template will be categorized based on some of the variables passed to the template. The dynamically generated categories are inside <includeonly> blocks to prevent the template page itself from getting the categories.
The problem is that I then transclude that page on to other pages, which causes the categories to be transcluded as well, and now that third page has all of the categories of all of the pages it transcluded.
I want to somehow format the template such that the page that invokes the template will make use of the categories but any pages that transclude the invoking page will not inherit the categories.
Example
Here's my best shot at an example of the setup. If this is inadequate I can provide links to my real-world example.
Template:Food
A page that takes a couple variables and outputs a highly formatted block that explains the food, including outputting a category based on the "type" variable.
Banana
This page invokes the Template:Food template with a few variables, including type set to "fruit". The result is when the user views the "Banana" page they get a nicely formatted page with some basic information about the fruit. Furthermore, if the user goes to the Category:Fruit page, they will see the Banana page listed.
Banana Nut Bread Recipe
This is the problem page. On this recipe page, the author wants to transclude all of the pages for ingredients so that each ingredient is listed in its nicely formatted block. However, when he transcludes the Banana page using {{:Banana}}, the Fruit category is transcluded along with it and now the Banana Nut Bread Recipe page is listed as being in the Fruit category which is wrong.
If I understand correctly, you want to limit the includeonly info (the category) to only depth 1 transclusion. I don't think it's possible.
Possible solutions:
1- Don't put category info into the Template:Food. Just put it directly in each ingredient page or if you really must, create a Template:Food_category or similar. Then each page could have any number of {{Food}}s and the {{food category}}s would need to be explicitly put.
The Labeled Section Transclusion extension lets you tag parts of a source article with labels, and transclude based on those tags. The tags can overlap, so that you have very granular control over what gets pulled through.
https://www.mediawiki.org/wiki/Extension:Labeled_Section_Transclusion
I would think that with Labeled Section Transclusion, you could transclude both the Type:fruit and the Banana description in separate transclusion statements on the Banana page, but only pull the description through to the Recipe page.