diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-07-31 20:56:33 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-08-04 09:35:24 +0200 |
| commit | d907371ef99a1e4ca6bc1660f57d81f265750984 (patch) | |
| tree | c71660e797eba97a3a6a6fa48ebc3f1bfa64441b /django/core | |
| parent | bce4a53670668d6fd1e34685197151c17fd1b378 (diff) | |
| download | django-d907371ef99a1e4ca6bc1660f57d81f265750984.tar.gz | |
Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting.
It's a transitional setting helpful in migrating multiple instance of
the same project to Django 3.1+.
Thanks Markus Holtermann for the report and review, Florian
Apolloner for the implementation idea and review, and Carlton Gibson
for the review.
Diffstat (limited to 'django/core')
| -rw-r--r-- | django/core/checks/security/base.py | 13 | ||||
| -rw-r--r-- | django/core/signing.py | 6 |
2 files changed, 17 insertions, 2 deletions
diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py index 38b2c786b9..d96c318add 100644 --- a/django/core/checks/security/base.py +++ b/django/core/checks/security/base.py @@ -116,6 +116,11 @@ E023 = Error( id='security.E023', ) +E100 = Error( + "DEFAULT_HASHING_ALGORITHM must be 'sha1' or 'sha256'.", + id='security.E100', +) + def _security_middleware(): return 'django.middleware.security.SecurityMiddleware' in settings.MIDDLEWARE @@ -228,3 +233,11 @@ def check_referrer_policy(app_configs, **kwargs): if not values <= REFERRER_POLICY_VALUES: return [E023] return [] + + +# RemovedInDjango40Warning +@register(Tags.security) +def check_default_hashing_algorithm(app_configs, **kwargs): + if settings.DEFAULT_HASHING_ALGORITHM not in {'sha1', 'sha256'}: + return [E100] + return [] diff --git a/django/core/signing.py b/django/core/signing.py index 652694bb99..c6713c3033 100644 --- a/django/core/signing.py +++ b/django/core/signing.py @@ -147,7 +147,7 @@ class Signer: # RemovedInDjango40Warning. legacy_algorithm = 'sha1' - def __init__(self, key=None, sep=':', salt=None, algorithm='sha256'): + def __init__(self, key=None, sep=':', salt=None, algorithm=None): self.key = key or settings.SECRET_KEY self.sep = sep if _SEP_UNSAFE.match(self.sep): @@ -156,7 +156,9 @@ class Signer: 'only A-z0-9-_=)' % sep, ) self.salt = salt or '%s.%s' % (self.__class__.__module__, self.__class__.__name__) - self.algorithm = algorithm + # RemovedInDjango40Warning: when the deprecation ends, replace with: + # self.algorithm = algorithm or 'sha256' + self.algorithm = algorithm or settings.DEFAULT_HASHING_ALGORITHM def signature(self, value): return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.algorithm) |