From d32a232fe92e0162030c7905f877d8a07c09e6c7 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Mon, 11 Jan 2021 21:57:48 +0100
Subject: [PATCH] Refs #27468 -- Removed support for the pre-Django 3.1
signatures in Signer and signing.dumps()/loads().
Per deprecation timeline.
---
django/core/signing.py | 14 +-------------
docs/releases/4.0.txt | 7 +++++++
tests/signing/tests.py | 18 +-----------------
3 files changed, 9 insertions(+), 30 deletions(-)
diff --git a/django/core/signing.py b/django/core/signing.py
index a5bccfbdc8..804b6e773c 100644
--- a/django/core/signing.py
+++ b/django/core/signing.py
@@ -120,9 +120,6 @@ def loads(s, key=None, salt='django.core.signing', serializer=JSONSerializer, ma
class Signer:
- # RemovedInDjango40Warning.
- legacy_algorithm = 'sha1'
-
def __init__(self, key=None, sep=':', salt=None, algorithm=None):
self.key = key or settings.SECRET_KEY
self.sep = sep
@@ -139,10 +136,6 @@ class Signer:
def signature(self, value):
return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.algorithm)
- def _legacy_signature(self, value):
- # RemovedInDjango40Warning.
- return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.legacy_algorithm)
-
def sign(self, value):
return '%s%s%s' % (value, self.sep, self.signature(value))
@@ -150,12 +143,7 @@ class Signer:
if self.sep not in signed_value:
raise BadSignature('No "%s" found in value' % self.sep)
value, sig = signed_value.rsplit(self.sep, 1)
- if (
- constant_time_compare(sig, self.signature(value)) or (
- self.legacy_algorithm and
- constant_time_compare(sig, self._legacy_signature(value))
- )
- ):
+ if constant_time_compare(sig, self.signature(value)):
return value
raise BadSignature('Signature "%s" does not match' % sig)
diff --git a/docs/releases/4.0.txt b/docs/releases/4.0.txt
index a6f5bdb12e..0088953b3e 100644
--- a/docs/releases/4.0.txt
+++ b/docs/releases/4.0.txt
@@ -285,3 +285,10 @@ to remove usage of these features.
use the SHA-1 hashing algorithm) is removed.
* Support for the pre-Django 3.1 encoding format of sessions is removed.
+
+* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
+ (encoded with the SHA-1 algorithm) is removed.
+
+* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
+ (encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is
+ removed.
diff --git a/tests/signing/tests.py b/tests/signing/tests.py
index 50b2b0d9bb..f4c20b9aff 100644
--- a/tests/signing/tests.py
+++ b/tests/signing/tests.py
@@ -67,14 +67,6 @@ class TestSigner(SimpleTestCase):
with self.assertRaisesMessage(InvalidAlgorithm, msg):
signer.sign('hello')
- def test_legacy_signature(self):
- # RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
- # supported.
- signer = signing.Signer()
- sha1_sig = 'foo:l-EMM5FtewpcHMbKFeQodt3X9z8'
- self.assertNotEqual(signer.sign('foo'), sha1_sig)
- self.assertEqual(signer.unsign(sha1_sig), 'foo')
-
def test_sign_unsign(self):
"sign/unsign should be reversible"
signer = signing.Signer('predictable-secret')
@@ -151,20 +143,12 @@ class TestSigner(SimpleTestCase):
self.assertNotEqual(o, signing.dumps(o, compress=True))
self.assertEqual(o, signing.loads(signing.dumps(o, compress=True)))
- def test_dumps_loads_legacy_signature(self):
- # RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
- # supported.
- value = 'a string \u2020'
- # SHA-1 signed value.
- signed = 'ImEgc3RyaW5nIFx1MjAyMCI:1k1beT:ZfNhN1kdws7KosUleOvuYroPHEc'
- self.assertEqual(signing.loads(signed), value)
-
@ignore_warnings(category=RemovedInDjango40Warning)
def test_dumps_loads_default_hashing_algorithm_sha1(self):
value = 'a string \u2020'
with self.settings(DEFAULT_HASHING_ALGORITHM='sha1'):
signed = signing.dumps(value)
- self.assertEqual(signing.loads(signed), value)
+ self.assertEqual(signing.loads(signed), value)
def test_decode_detects_tampering(self):
"loads should raise exception for tampered objects"