Skip to content

Commit 7edc23c

Browse files
author
Peter Williams
committed
Merge branch 'gist-comment-uris'
Conflicts: lib/resources.rb
2 parents 9fd50eb + 0543c92 commit 7edc23c

File tree

2 files changed

+16
-4
lines changed

2 files changed

+16
-4
lines changed

content/changes/2012-10-31-gist-comment-uris.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
---
2+
kind: change
3+
title: Gist comment URIs
4+
created_at: 2012-10-31
5+
author_name: pezra
6+
---
7+
8+
The URIs of all gist comments are changing immediately. The new URI pattern for gist comments is `/gists/{gist-id}/comments/{id}`. (See [gist comments section of the docs](/v3/gists/comments/) for more details.) This change is necessary because the auto-incremented id of gist comments is easy to guess. This predictability allows anyone to view comments on private Gists with relative ease. Obviously, comments on private gists should be just as private as the gist itself.
9+
10+
Adding the id of the gist id to the URI makes it impossible, in practical terms, because that id is a very large random number. This is, unfortunately, a breaking change but one that cannot be avoided because of the security implications of the current URIs. We apologize for the inconvenience.

lib/resources.rb

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
require 'yajl/json_gem'
33
require 'stringio'
44
require 'cgi'
5+
require 'securerandom'
56

67
module GitHub
78
module Resources
@@ -677,7 +678,7 @@ def text_html(response, status, head = {})
677678
GIST_HISTORY = {
678679
"history" => [
679680
{
680-
"url" => "https://api.github.com/gists/1/57a7f021a713b1c5a6a199b54cc514735d2d462f",
681+
"url" => "https://api.github.com/gists/#{SecureRandom.hex(10)}",
681682
"version" => "57a7f021a713b1c5a6a199b54cc514735d2d462f",
682683
"user" => USER,
683684
"change_status" => {
@@ -690,11 +691,12 @@ def text_html(response, status, head = {})
690691
]
691692
}
692693

694+
693695
GIST_FORKS = {
694696
"forks" => [
695697
{
696698
"user" => USER,
697-
"url" => "https://api.github.com/gists/5",
699+
"url" => "https://api.github.com/gists/#{SecureRandom.hex(10)}",
698700
"created_at" => "2011-04-14T16:00:49Z"
699701
}
700702
]
@@ -707,7 +709,7 @@ def text_html(response, status, head = {})
707709
}
708710

709711
GIST = {
710-
"url" => "https://api.github.com/gists/1",
712+
"url" => "https://api.github.com/gists/#{SecureRandom.hex(10)}",
711713
"id" => "1",
712714
"description" => "description of gist",
713715
"public" => true,
@@ -725,7 +727,7 @@ def text_html(response, status, head = {})
725727

726728
GIST_COMMENT = {
727729
"id" => 1,
728-
"url" => "https://api.github.com/gists/123/comments/1",
730+
"url" => "https://api.github.com/gists/#{SecureRandom.hex(10)}/comments/1",
729731
"body" => "Just commenting for the sake of commenting",
730732
"user" => USER,
731733
"created_at" => "2011-04-18T23:23:56Z"

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy