mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Fixed #22804 -- Added warning for unsafe value of 'sep' in Signer
Thanks Jaap Roes for completing the patch.
This commit is contained in:
parent
6bd8462380
commit
0d71349773
@ -38,15 +38,20 @@ from __future__ import unicode_literals
|
||||
import base64
|
||||
import datetime
|
||||
import json
|
||||
import re
|
||||
import time
|
||||
import warnings
|
||||
import zlib
|
||||
|
||||
from django.conf import settings
|
||||
from django.utils import baseconv
|
||||
from django.utils.crypto import constant_time_compare, salted_hmac
|
||||
from django.utils.deprecation import RemovedInDjango110Warning
|
||||
from django.utils.encoding import force_bytes, force_str, force_text
|
||||
from django.utils.module_loading import import_string
|
||||
|
||||
_SEP_UNSAFE = re.compile(r'^[A-z0-9-_=]*$')
|
||||
|
||||
|
||||
class BadSignature(Exception):
|
||||
"""
|
||||
@ -150,8 +155,11 @@ class Signer(object):
|
||||
|
||||
def __init__(self, key=None, sep=':', salt=None):
|
||||
# Use of native strings in all versions of Python
|
||||
self.sep = force_str(sep)
|
||||
self.key = key or settings.SECRET_KEY
|
||||
self.sep = force_str(sep)
|
||||
if _SEP_UNSAFE.match(self.sep):
|
||||
warnings.warn('Unsafe Signer separator: %r (cannot be empty or consist of only A-z0-9-_=)' % sep,
|
||||
RemovedInDjango110Warning)
|
||||
self.salt = force_str(salt or
|
||||
'%s.%s' % (self.__class__.__module__, self.__class__.__name__))
|
||||
|
||||
|
@ -247,6 +247,9 @@ details on these changes.
|
||||
* Support for the syntax of ``{% cycle %}`` that uses comma-separated arguments
|
||||
will be removed.
|
||||
|
||||
* The warning that :class:`~django.core.signing.Signer` issues when given an
|
||||
invalid separator will become an exception.
|
||||
|
||||
.. _deprecation-removed-in-1.9:
|
||||
|
||||
1.9
|
||||
|
@ -974,6 +974,9 @@ Miscellaneous
|
||||
``django.utils.feedgenerator.RssFeed.mime_type`` attributes are deprecated in
|
||||
favor of ``content_type``.
|
||||
|
||||
* :class:`~django.core.signing.Signer` now issues a warning if an invalid
|
||||
separator is used. This will become an exception in Django 1.10.
|
||||
|
||||
.. removed-features-1.9:
|
||||
|
||||
Features removed in 1.9
|
||||
|
@ -1,6 +1,7 @@
|
||||
from __future__ import unicode_literals
|
||||
|
||||
import datetime
|
||||
import warnings
|
||||
|
||||
from django.core import signing
|
||||
from django.test import SimpleTestCase
|
||||
@ -112,6 +113,23 @@ class TestSigner(SimpleTestCase):
|
||||
s = signing.Signer(binary_key)
|
||||
self.assertEqual('foo:6NB0fssLW5RQvZ3Y-MTerq2rX7w', s.sign('foo'))
|
||||
|
||||
def test_valid_sep(self):
|
||||
separators = ['/', '*sep*', ',']
|
||||
for sep in separators:
|
||||
signer = signing.Signer('predictable-secret', sep=sep)
|
||||
self.assertEqual('foo%ssH9B01cZcJ9FoT_jEVkRkNULrl8' % sep, signer.sign('foo'))
|
||||
|
||||
def test_invalid_sep(self):
|
||||
"""should warn on invalid separator"""
|
||||
separators = ['', '-', 'abc']
|
||||
for sep in separators:
|
||||
with warnings.catch_warnings(record=True) as recorded:
|
||||
warnings.simplefilter('always')
|
||||
signing.Signer(sep=sep)
|
||||
self.assertEqual(len(recorded), 1)
|
||||
msg = str(recorded[0].message)
|
||||
self.assertTrue(msg.startswith('Unsafe Signer separator'))
|
||||
|
||||
|
||||
class TestTimestampSigner(SimpleTestCase):
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user